[CentOS] LDAP authentication on a remote server (via ldaps://)

Wed Oct 6 15:32:28 UTC 2010
Paul Heinlein <heinlein at madboa.com>

On Wed, 6 Oct 2010, Mathieu Baudier wrote:

> Now, I have a few servers in our local office and I would like them to
> authenticate from the remote LDAP server using encryption via
> ldaps://.
> (at this stage, without using client-side certificate)
> I have run a similar command as I did on the remote servers, replacing
> ldap://localldapserver by ldaps://ldap.mycompany.com:
> authconfig --enableldap --enableldapauth --enablecache
> --enablemkhomedir --ldapserver=ldaps://ldap.mycompany.com
> --enableldaptls --ldapbasedn=dc=mycompany,dc=com --passalgo=sha256
> --updateall
> and I put the CA certificate at the right place.
> (either explicitly pointing to it TLS_CACERT or downloading it to
> /etc/openldap/cacerts vi system-configuration-authentication)
> In all my various tests,
> ldapsearch -x
> returns the content of the remote LDAP, so I guess that at least
> openldap clients are properly configured.
> But when I try:
> getent passwd
> the command hangs.

I've never done ldaps to port 636, only TLS to port 389, so some of my
comments may be slightly off-base in your situtation.

Here are the changes I'd review:

  1. After installing the CA cert, did you create a hash link? E.g.,

     /usr/sbin/cacertdir_rehash /etc/openldap/cacerts

  2. Make sure you know the difference between /etc/ldap.conf and
     /etc/openldap/ldap.conf. The former is used by nss_ldap, the
     latter by openldap clients.

  3. Does /etc/ldap.conf have all the correct TLS entries, e.g.,

     ssl start_tls
     tls_checkpeer yes
     tls_cacertdir /etc/openldap/cacerts

     Additionally, I've had trouble using the "uri" directive
     in /etc/ldap.conf, esp. with encrypted connections. The
     "host" and "port" directives have worked better for me.

  4. Does /etc/pam.d/system-auth have pam_ldap.so entries for
     auth, account, password, and session?

  5. Are you running nscd? (I've found it indispensable when working
     with network auth.)

  6. Review the changes to /etc/nsswitch.conf to make sure that
     the passwd, shadow, and group entries all query ldap.

Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/