On Tue, 2011-05-24 at 16:52 -0400, Scott Robbins wrote: > On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote: > > Hello, > > I'm trying to set up a centos 5.3 machine to do authentication via > > openldap. I've got it working, I'm not sure if I have it 100% right, > > but I can use ldapsearch to query the directory, use finger, id, > > chown, and other utilities with ldap usernames and groups, log in via > > ssh as an ldap user and if it's a new user automatically have the home > > directory created. > > > > Having got this far if anyone with a working ldap authentication > > system could give my config a sanity check let me know. My goal now is > > to get tls encryption going so that usernames and passwords aren't > > sent in the clear. I'm using self-signed certificates for now. > > I'm going to post a link to my own page on it---which has links to other > pages. Among other things, it goes through TLS. > > http://home.roadrunner.com/~computertaijutsu/ldap.html > ---- not wishing to pick on you and I only mention this because you specifically state that this goes through TLS but nowhere does it actually cover TLS at all... only LDAPS which is deprecated Your examples always use... -x Simple authentication but in order to use TLS, you would instead use... -Z Start TLS request (-ZZ to require successful response) i.e. 'ldapsearch -Z -h localhost -D 'cn=admin,dc=example,dc=com -W ou=People' It seems obvious why you were confused when you wrote... pam_ldap: ldap_starttls_s: Connect error Quickly on the topic of security, perhaps the first rule I would recommend for ACL's would be something like... I would also recommend that you simply add at the top or very near the top of your ACL's... access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn.exact="uid=SOME_ADMIN_USER,dc=example,dc=com" write by self write by anonymous auth by * none This should be obvious and you can eliminate the Samba attributes if you don't integrate Samba into LDAP. Then the last rule should be something like... access to * by * read Which pretty much permits everything which allows you to browse your LDAP with anything from anywhere which I find terribly useful and permits anonymous browsing but my passwords are fully protected. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.