NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Using LDAP for auth against LINUX
On Wed, Jan 7, 2009 at 11:15 AM, Uwe Lienig
<uwe.lienig%fif.mw.htw-dresden.de@localhost> wrote:
> Mike Bowie wrote:
>>
>> I'd suggesting adding '-ZZ' to the ldapsearch parameters to force it to
>> use TLS... I'm guessing it will fail because it doesn't like the remote
>> cert.
> Thanks for the hint. Yes, ldapsearch failed with
>
> ldap_start_tls: Connect error (-11)
>
> As I understand that leaves network communication unencrypted. Not what I
> wanted, but at the moment I leave that for the next step
>
>>
>> Try adding "TLS_REQCERT never" to your ldap.conf (or other config file)
>> file and see if that helps. I've not used LDAP with PAM etc, but I do
>> use that with other mechanisms.
>>
>> HTH,
>>
>> Mike.
>>
> After removing the option
>
> ssl start_tls
>
> from the pam_ldap.conf file getent(1) found the user tst. Here is the log
> snippet of the LDAP server:
>
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 ACCEPT from \
> IP=141.56.22.4:61808 (IP=0.0.0.0:389)
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 BIND dn="" method=128
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 RESULT tag=97 err=0 text=
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH \
> base="ou=people,dc=some,dc=domain,dc=org" scope=1 deref=0 \
> filter="(&(objectClass=posixAccount)(uid=tst))"
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH attr=uid \
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos \
> description objectClass
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SEARCH RESULT tag=101 \
> err=0 nentries=1 text=
> Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 closed (connection lost)
>
> After that I had to fiddle with the PAM system, but incorporating the hints
> from
> wiki.netbsd.de regarding LDAP I can login.
>
> Now, since user passwords are transferred clear text over the wire I have to
> get
> TLS working. Are there any gotchas in setting up TLS? Would it be better to
> use
> SSL instead and force the server to listen to the LDAP SSL port?
>
You need to get ldapsearch working with starttls or ssl before trying
with nss. The ldaps:// (port 636) method is the most common, so it
might be easier to get going, but don't give up on starttls if you
have the time. :)
http://www.openldap.org/faq/data/cache/185.html
Home |
Main Index |
Thread Index |
Old Index