"Filipe Brandenburger" filbranden@gmail.com wrote in message news:e814db780908181007g454b680ar30aaaef7ab19a3b@mail.gmail.com...
Hi,
On Tue, Aug 18, 2009 at 12:50, Eric B.ebenze@hotmail.com wrote:
Any suggetsions / ideas?
I believe you have to copy the certificate to /etc/openldap/cacerts/ in the LDAP client. The certificate file name there is special, it should be hashed from the certificate data... I believe the easiest way to install it there is using the "authconfig" command and specifying the certificate URL.
You should also have TLS_CACERTDIR /etc/openldap/cacerts on /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!)
I also did not have much luck with self-signed certificates with LDAP, I had to create a self-signed certificate for a "dummy" CA, and then use that certificate to sign a certificate for the LDAP server with the server's name as a cn.
I believe you should be able to test it using "ldapsearch" with the "-Z" and "-ZZ" options in order to require TLS and see if that works. I suggest you first get that part working fine before going on with your libuser configuration...
LDAP with TLS is kind of a pain to set up... but once it is running it really works OK.
Thanks. You're a genius. I struggled a lot, but think I finally managed to get something working. I tried to follow the openldap faq at http://www.openldap.org/faq/data/cache/185.html for creating CA certificates, but my shell script is called CA not CA.sh.
I've done the following: # cd /etc/pki/tls/misc/ # ./CA -newca (filled in all prompted information, and gave it a pwd) # openssl req -new -nodes -keyout newreq.pem -out newreq.pem (filled in all prompted information) # CA.sh -sign # cp /etc/pki/CA/cacert.pem /etc/openssl/cacerts/ # cp newcert.pem /etc/openssl/ssl/servercrt.pem # cp newreq.pem /etc/openssl/ssl/serverkey.pem
Then updated my slapd.conf to show: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
Then updated /etc/ldap.conf to show: tls_cacert /etc/openldap/cacerts/cacert.pem
Finally /etc/openssl/ldap.conf: TLS_CACERT /etc/openldap/cacerts/cacert.pem
Restart the slapd daemon # service ldap restart
And I can finally get ldapsearch to work. Although I tried tls_cacertdir for both /etc/ldap.conf and /etc/openldap/ldap.conf and it doesn't work for some odd reason. Not sure why.
# ldapsearch -Z -x "(uid=eric)" <returns the ldif entry for uid=eric>
So next test was to create a new user. luseradd foo works perfect. I find it in my ldap tree as expected. All I had to do is modify the create_modules and modules to specify ldap only (to avoid it modifying the passwd and shadow files), and everything seems to be working.
Thanks for your help!
Eric