[CentOS] LDAP authentication on a remote server (via ldaps://)

Wed Oct 6 08:24:44 UTC 2010
Mathieu Baudier <mbaudier at argeo.org>

Hello,

I have a central repository of users/groups based on OpenLDAP which is
working on a remote LAN (servers share users credentials and mount
their home directories via NFS). They use non-encrypted ldap
restricted to the local network.

Now, I have a few servers in our local office and I would like them to
authenticate from the remote LDAP server using encryption via
ldaps://.
(at this stage, without using client-side certificate)

I have run a similar command as I did on the remote servers, replacing
ldap://localldapserver by ldaps://ldap.mycompany.com:
authconfig --enableldap --enableldapauth --enablecache
--enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
--enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
--updateall

and I put the CA certificate at the right place.
(either explicitly pointing to it TLS_CACERT or downloading it to
/etc/openldap/cacerts vi system-configuration-authentication)

In all my various tests,
ldapsearch -x
returns the content of the remote LDAP, so I guess that at least
openldap clients are properly configured.

But when I try:
getent passwd
the command hangs.

Same when I try to:
su - myuser

(I also tried configuring with the system-configuration-authentication
UI from a box with GNOME, and also tried authconfig without
--enableldaptls)

So is there anything specific to authentication ldaps: that I should have done?
(as I said, this approach systematically works with plain ldap on this
same LDAP server)

Thanks in advance for your help!

Mathieu

Note: all systems involved are running up to date CentOS 5.5