Mike Bowie wrote:
I'd suggesting adding '-ZZ' to the ldapsearch parameters to force it to
use TLS... I'm guessing it will fail because it doesn't like the remote
cert.
Thanks for the hint. Yes, ldapsearch failed with
ldap_start_tls: Connect error (-11)
As I understand that leaves network communication unencrypted. Not what I
wanted, but at the moment I leave that for the next step
Try adding "TLS_REQCERT never" to your ldap.conf (or other config file)
file and see if that helps. I've not used LDAP with PAM etc, but I do
use that with other mechanisms.
HTH,
Mike.
After removing the option
ssl start_tls
from the pam_ldap.conf file getent(1) found the user tst. Here is the log
snippet of the LDAP server:
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 ACCEPT from \
IP=141.56.22.4:61808 (IP=0.0.0.0:389)
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 BIND dn="" method=128
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=0 RESULT tag=97 err=0 text=
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH \
base="ou=people,dc=some,dc=domain,dc=org" scope=1 deref=0 \
filter="(&(objectClass=posixAccount)(uid=tst))"
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SRCH attr=uid \
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos \
description objectClass
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 op=1 SEARCH RESULT tag=101 \
err=0 nentries=1 text=
Jan 7 09:47:23 ldapsrv slapd[4614]: conn=11611 fd=54 closed (connection lost)
After that I had to fiddle with the PAM system, but incorporating the hints from
wiki.netbsd.de regarding LDAP I can login.
Now, since user passwords are transferred clear text over the wire I have to get
TLS working. Are there any gotchas in setting up TLS? Would it be better to use
SSL instead and force the server to listen to the LDAP SSL port?
Thanks.