[CentOS] CentOS7: Setting up ldap over TLS in kickstart file
Paul Heinlein
heinlein at madboa.com
Thu Jun 14 15:54:32 UTC 2018
On Thu, 14 Jun 2018, Patrick Begou wrote:
> Hi,
>
> I'm facing a problem with setting up LDAP+TLS client authentication in a
> kickstart script on CentOS7 for several days.
>
> Setting up manualy the config with system-config-authentication works but I
> need to automate this in kickstart for deploying cluster nodes.
> This show that the server side is running fine.
>
> At this time the message is
>
> #systemctl status sssd
>
> | ....
> sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed (self signed
> certificate)|
>
> In my kickstart file I use:
> auth --useshadow --enableldaptls --enablecache --passalgo=sha512
> --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr"
> --ldapbasedn=dc=my,dc=base,dc=dn
>
> Then in a post install script I download the server and ca certificates and
> stops nslcd that I do not use:
>
> echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
> cd /etc/openldap/cacerts/ && wget
> http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s
> ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0
> cd /etc/openldap/certs/ && wget
> http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt
> cd /
> systemctl disable nslcd
>
> I'm unable to see what system-config-authentication is doing more in it's
> setup.
>
> Thanks for your help
I'm a bit stumped. My recipe was similar:
authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --enableldapauth --ldapserver=ldap.ourcompany.com --ldapbasedn=dc=ourcompany,dc=com --enablecache --enableldaptls
then, in %post:
curl http://www.ourcompany.com/ca/ca.crt \
-s -o /etc/openldap/cacerts/ca.ourcompany.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
And that did the trick.
The main difference is that you install a bundle of certifcates rather
than a single one. There are two issues:
1. Hashing a certificate bundle does no good as far as I know. Hashes
only work on a single cert, right?
2. Unless told otherwise, openssl looks in only one place for a cert
bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can
be discovered by running "openssl version -d").
You might take a peek at the ldap_tls_cacertdir discussion in the
sssd-ldap(5) man page, which specifies that certificates should be in
individual files.
My suggestion would be to isolate the CA certificate used to sign your
LDAP server certs, install that as a separate file in
ldap_tls_cacertdir, and run cacertdir_rehash to get the hash correct.
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W
More information about the CentOS
mailing list