Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created.
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
Any help appreciated. Thanks. Dave.
On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:
Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created.
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS.
http://home.roadrunner.com/~computertaijutsu/ldap.html
On Tue, May 24, 2011 at 4:52 PM, Scott Robbins scottro@nyc.rr.com wrote:
I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS.
Scott,
I didn't read through the whole document, but yours is one of the most complete and useful ones that I've seen. Definitely a great resource for anyone setting up an OpenLDAP server for the first (or fifth) time.
Regards,
M
On Tue, May 24, 2011 at 05:37:01PM -0400, Meenoo Shivdasani wrote:
On Tue, May 24, 2011 at 4:52 PM, Scott Robbins scottro@nyc.rr.com wrote:
I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS.
Scott,
I didn't read through the whole document, but yours is one of the most complete and useful ones that I've seen. Definitely a great resource for anyone setting up an OpenLDAP server for the first (or fifth) time.
Thanks for the kind words. I sat down to write the document that I wished I'd had when I had to learn it. :)
On Tue, 2011-05-24 at 16:52 -0400, Scott Robbins wrote:
On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:
Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created.
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
I'm going to post a link to my own page on it---which has links to other pages. Among other things, it goes through TLS.
---- not wishing to pick on you and I only mention this because you specifically state that this goes through TLS but nowhere does it actually cover TLS at all... only LDAPS which is deprecated
Your examples always use... -x Simple authentication
but in order to use TLS, you would instead use... -Z Start TLS request (-ZZ to require successful response)
i.e. 'ldapsearch -Z -h localhost -D 'cn=admin,dc=example,dc=com -W ou=People'
It seems obvious why you were confused when you wrote... pam_ldap: ldap_starttls_s: Connect error
Quickly on the topic of security, perhaps the first rule I would recommend for ACL's would be something like...
I would also recommend that you simply add at the top or very near the top of your ACL's... access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn.exact="uid=SOME_ADMIN_USER,dc=example,dc=com" write by self write by anonymous auth by * none
This should be obvious and you can eliminate the Samba attributes if you don't integrate Samba into LDAP.
Then the last rule should be something like... access to * by * read
Which pretty much permits everything which allows you to browse your LDAP with anything from anywhere which I find terribly useful and permits anonymous browsing but my passwords are fully protected.
Craig
David Mehler wrote:
Hello, I'm trying to set up a centos 5.3 machine to do authentication via openldap. I've got it working, I'm not sure if I have it 100% right, but I can use ldapsearch to query the directory, use finger, id, chown, and other utilities with ldap usernames and groups, log in via ssh as an ldap user and if it's a new user automatically have the home directory created.
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
First, I suspect you'll get a ton of replies saying that you should upgrade to 5.6 from 5.3.
Second, you've gotten that far; when I was dealing with openldap, I rather liked webmin to do my sanity checks for it.
mark
On Tue, 24 May 2011, David Mehler wrote:
Having got this far if anyone with a working ldap authentication system could give my config a sanity check let me know. My goal now is to get tls encryption going so that usernames and passwords aren't sent in the clear. I'm using self-signed certificates for now.
This /etc/ldap.conf works well for me on CentOS 5:
----- %< ----- # failover doesn't work using the newer 'uri' directive. # can go to ldap1; use ldap2 for backup host ldap1.domain.com ldap2.domain.com port 389 base dc=domain,dc=com
# encrypt queries over the wire; our servers require it ssl start_tls tls_checkpeer yes tls_cacertdir /etc/openldap/cacerts
# set time limits fairly low to get benefit of failover bind_timelimit 30 idle_timelimit 120 timelimit 30
# a stock centos/rhel directive; its utility is murky to me nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman ----- %< -----
Prior to switching to LDAP, I download the CA certificate used to sign the ldap1 and ldap2 server certs and hash it for OpenSSL. I typically do it via the %post section in kickstart:
curl http://www.domain.com/ca/ca.domain.com.crt \ -s -o /etc/openldap/cacerts/ca.domain.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
--On Tuesday, May 24, 2011 02:12:51 PM -0700 Paul Heinlein heinlein@madboa.com wrote:
This /etc/ldap.conf works well for me on CentOS 5:
----- %< ----- # failover doesn't work using the newer 'uri' directive. # can go to ldap1; use ldap2 for backup host ldap1.domain.com ldap2.domain.com port 389
I have a working failover config that uses the uri syntax:
uri ldaps://ldap1.example.com ldaps://ldap2.example.com
Note that 'port' is _not_ set in my config file.
Devin
I think that the most secure setup is to use both LDAPI (ldap connections over Unix sockets) for connections inside the ldap server and TLS for connections from everywhere else on the network. Plus, ldapi connections are much faster than TCP connections.
Am I wrong?
-
Craig White -
David Mehler -
Devin Reade -
m.roth@5-cent.us -
Meenoo Shivdasani -
Miguel Medalha -
Paul Heinlein -
Scott Robbins