[CentOS] LDAP authentication on a remote server (via ldaps://)
craigwhite at azapple.com
Wed Oct 6 22:35:32 EDT 2010
On Wed, 2010-10-06 at 08:32 -0700, Paul Heinlein wrote:
> On Wed, 6 Oct 2010, Mathieu Baudier wrote:
> > Now, I have a few servers in our local office and I would like them to
> > authenticate from the remote LDAP server using encryption via
> > ldaps://.
> > (at this stage, without using client-side certificate)
> > I have run a similar command as I did on the remote servers, replacing
> > ldap://localldapserver by ldaps://ldap.mycompany.com:
> > authconfig --enableldap --enableldapauth --enablecache
> > --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
> > --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
> > --updateall
> > and I put the CA certificate at the right place.
> > (either explicitly pointing to it TLS_CACERT or downloading it to
> > /etc/openldap/cacerts vi system-configuration-authentication)
> > In all my various tests,
> > ldapsearch -x
> > returns the content of the remote LDAP, so I guess that at least
> > openldap clients are properly configured.
> > But when I try:
> > getent passwd
> > the command hangs.
> I've never done ldaps to port 636, only TLS to port 389, so some of my
> comments may be slightly off-base in your situtation.
> Here are the changes I'd review:
> 1. After installing the CA cert, did you create a hash link? E.g.,
> /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
> 2. Make sure you know the difference between /etc/ldap.conf and
> /etc/openldap/ldap.conf. The former is used by nss_ldap, the
> latter by openldap clients.
> 3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
> ssl start_tls
> tls_checkpeer yes
> tls_cacertdir /etc/openldap/cacerts
> Additionally, I've had trouble using the "uri" directive
> in /etc/ldap.conf, esp. with encrypted connections. The
> "host" and "port" directives have worked better for me.
> 4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
> auth, account, password, and session?
> 5. Are you running nscd? (I've found it indispensable when working
> with network auth.)
> 6. Review the changes to /etc/nsswitch.conf to make sure that
> the passwd, shadow, and group entries all query ldap.
tls_checkpeer yes could cause problems - always depends
nscd makes things harder to troubleshoot
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS