[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]
mbaudier at argeo.org
Wed Oct 6 16:35:14 UTC 2010
> Here are the changes I'd review:
> 1. After installing the CA cert, did you create a hash link? E.g.,
> /usr/sbin/cacertdir_rehash /etc/openldap/cacerts
> 2. Make sure you know the difference between /etc/ldap.conf and
> /etc/openldap/ldap.conf. The former is used by nss_ldap, the
> latter by openldap clients.
> 3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,
> ssl start_tls
> tls_checkpeer yes
> tls_cacertdir /etc/openldap/cacerts
> Additionally, I've had trouble using the "uri" directive
> in /etc/ldap.conf, esp. with encrypted connections. The
> "host" and "port" directives have worked better for me.
> 4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
> auth, account, password, and session?
> 5. Are you running nscd? (I've found it indispensable when working
> with network auth.)
> 6. Review the changes to /etc/nsswitch.conf to make sure that
> the passwd, shadow, and group entries all query ldap.
Thanks a lot for this check-list (I recommend it for others in the future).
I had already checked most of the points, but I still played around
with your ideas, without success
But, this remark:
> I've never done ldaps to port 636, only TLS to port 389, so some of my
> comments may be slightly off-base in your situtation.
made me think of checking what should be the difference between a
START_TLS on a plain ldap port and ldaps on the ssl port
for ldap + START_TLS this is indeed
> ssl start_tls
but for ldaps (my case) this should be:
Changing the value of 'ssl' to 'on' solved my problem!
(and this explains why my ldapsearch queries were working: as you
pointed out, /etc/ldap.conf is for the configuration of nss_ldap)
IMHO, the comments in /etc/ldap.conf could be a bit more explicit on
the 'on' value:
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
Thanks a lot for your help!
More information about the CentOS