On Tue, 2011-05-24 at 16:52 -0400, Scott Robbins wrote:
On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:
Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created.
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS.
---- not wishing to pick on you and I only mention this because you specifically state that this goes through TLS but nowhere does it actually cover TLS at all... only LDAPS which is deprecated
Your examples always use... -x Simple authentication
but in order to use TLS, you would instead use... -Z Start TLS request (-ZZ to require successful response)
i.e. 'ldapsearch -Z -h localhost -D 'cn=admin,dc=example,dc=com -W ou=People'
It seems obvious why you were confused when you wrote... pam_ldap: ldap_starttls_s: Connect error
Quickly on the topic of security, perhaps the first rule I would recommend for ACL's would be something like...
I would also recommend that you simply add at the top or very near the top of your ACL's... access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn.exact="uid=SOME_ADMIN_USER,dc=example,dc=com" write by self write by anonymous auth by * none
This should be obvious and you can eliminate the Samba attributes if you don't integrate Samba into LDAP.
Then the last rule should be something like... access to * by * read
Which pretty much permits everything which allows you to browse your LDAP with anything from anywhere which I find terribly useful and permits anonymous browsing but my passwords are fully protected.
Craig