On Wed, 2010-10-06 at 08:32 -0700, Paul Heinlein wrote:
On Wed, 6 Oct 2010, Mathieu Baudier wrote:
Now, I have a few servers in our local office and I would like them to authenticate from the remote LDAP server using encryption via ldaps://. (at this stage, without using client-side certificate)
I have run a similar command as I did on the remote servers, replacing ldap://localldapserver by ldaps://ldap.mycompany.com: authconfig --enableldap --enableldapauth --enablecache --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256 --updateall
and I put the CA certificate at the right place. (either explicitly pointing to it TLS_CACERT or downloading it to /etc/openldap/cacerts vi system-configuration-authentication)
In all my various tests, ldapsearch -x returns the content of the remote LDAP, so I guess that at least openldap clients are properly configured.
But when I try: getent passwd the command hangs.
I've never done ldaps to port 636, only TLS to port 389, so some of my comments may be slightly off-base in your situtation.
Here are the changes I'd review:
After installing the CA cert, did you create a hash link? E.g.,
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
Make sure you know the difference between /etc/ldap.conf and /etc/openldap/ldap.conf. The former is used by nss_ldap, the latter by openldap clients.
Does /etc/ldap.conf have all the correct TLS entries, e.g.,
ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts
Additionally, I've had trouble using the "uri" directive in /etc/ldap.conf, esp. with encrypted connections. The "host" and "port" directives have worked better for me.
Does /etc/pam.d/system-auth have pam_ldap.so entries for auth, account, password, and session?
Are you running nscd? (I've found it indispensable when working with network auth.)
Review the changes to /etc/nsswitch.conf to make sure that the passwd, shadow, and group entries all query ldap.
---- tls_checkpeer yes could cause problems - always depends
nscd makes things harder to troubleshoot
uri ldap://some_fqdn/ or uri ldaps://some_fqdn/
Craig