NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Using LDAP for auth against LINUX
Johnny Billquist wrote:
>>
>> Watch the logs on the ldap server when you use getent to see if it is
>> actually performing the search, or even trying to connect.
Ok, got some new bits with this issue.
In the log of the LDAP server there are some messages that prove PAM is using
LDAP and tries to use TLS
-------- snip ----------
Jan 6 17:36:58 srv slapd[4614]: conn=10832 fd=40 ACCEPT from \
IP=ip.addr.of.host:62361 (IP=0.0.0.0:389)
Jan 6 17:36:58 srv slapd[4614]: conn=10832 op=0 STARTTLS
Jan 6 17:36:58 srv slapd[4614]: conn=10832 op=0 RESULT oid= err=0 text=
Jan 6 17:36:58 srv slapd[4614]: conn=10832 fd=40 closed \
(TLS negotiation failure)
-------- snip ----------
What wonders me is, that using ldapsearch no STARTTLS message is logged
When I use a simple search
$ > ldapsearch 'uid=tst'
I get the correct answer. In the LDAP server log I can see
-------- snip ----------
Jan 6 17:46:05 srv slapd[4614]: conn=10842 fd=40 ACCEPT from \
IP=ip.addr.of.host:62355 (IP=0.0.0.0:389)
Jan 6 17:46:05 srv slapd[4614]: conn=10842 op=0 BIND dn="" method=128
Jan 6 17:46:05 srv slapd[4614]: conn=10842 op=0 RESULT tag=97 err=0 text=
Jan 6 17:46:05 srv slapd[4614]: conn=10842 op=1 SRCH \
base="dc=some,dc=domain,dc=org" scope=2 deref=0 filter="(uid=tst)"
Jan 6 17:46:05 srv slapd[4614]: conn=10842 op=1 SEARCH RESULT tag=101 err=0 \
nentries=1 text=
Jan 6 17:46:05 srv slapd[4614]: conn=10842 op=2 UNBIND
-------- snip ----------
What makes me curious is that there is no STARTTLS entry although TLS_CACERT is
defined in the LDAP conf.
>>
>> Also- what happens when you switch ldap to be before nis?
> I didn't think that NetBSD version 3 supported ldap in nsswitch.conf.
> But maybe I remember wrong?
>
> Johnny
So, the LDAP log says: NetBSD version 3 is doing LDAP.
I think I've to get the TLS thing right. But the man page is somewhat cryptic.
In /usr/pkg/etc/pam_ldap.conf I have set tls_cacertfile to the serverkey
tls_cacertfile /etc/openssl/certs/serverkey.pem
But that seems to be the wrong - not sure, but it's not working.
Do I have to import the key somehow? What about the LDAP root password? But I
think, that this isn't necessary for fetching user records.
Thanks.
--
Uwe Lienig
----------
fon: (+49 351) 462 2780
fax: (+49 351) 462 3476
mailto:uwe.lienig%fif.mw.htw-dresden.de@localhost
Forschungsinstitut Fahrzeugtechnik
<http://www.fif.mw.htw-dresden.de>
parcels: Gutzkowstr. 22, 01069 Dresden
letters: PF 12 07 01, 01008 Dresden
Hochschule für Technik und Wirtschaft Dresden (FH)
Friedrich-List-Platz 1, 01069 Dresden
Home |
Main Index |
Thread Index |
Old Index