[SOLVED] NSS LDAPS (TLS) not working. LDAP (non-TLS) is working

LBM · 11-02-2013, 04:49 PM

I have setup an LDAP server, where i authenticate my users. This is working as intended.

Now I have added TLS to libpam-ldap and libnss-ldap!
libpam-ldap works fine, with TLS, but libnss-ldap does not!

If I run id, when uri is ldaps://example.com in the /etc/libnss-ldap.conf file I get this error, and I am unable to query userids, group ids etc..

Code:

Nov  2 22:46:22 testserver id: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Nov  2 22:46:22 testserver id: nss_ldap: failed to bind to LDAP server ldaps://example.com: Can't contact LDAP server
Nov  2 22:46:22 testserver id: nss_ldap: reconnecting to LDAP server...

If I just uses ldap://example.com, everything is working as inteded.

Am I missing something for libnss-ldap to work with SSL/TLS ?
Kinda strange to me, since libpam-ldap is working with TLS, with "same" configuration.

LBM · 11-02-2013, 05:44 PM

nscd must be running...

LBM · 11-03-2013, 03:58 AM

Oh, this was not the cause...
Apperently there is a bug!
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647
Ref:a
https://wiki.debian.org/LDAP/NSS

Trying with nss-ldapd, but same issues. NON-TLS is working fine. With TLS I am unable to connect.

Code:

nslcd: [8b4567] <passwd(all)> DEBUG: myldap_search(base="dc=example,dc=com", filter="(objectClass=posixAccount)")
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_initialize(ldaps://example.com)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <passwd(all)> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://example.com")
nslcd: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://example.com: Can't contact LDAP server: Permission denied

LBM · 11-03-2013, 05:32 AM

CentOS have the same behaviour, and throws this error.

Code:

nslcd: [8b4567] failed to bind to LDAP server ldaps://test.local/: Can't contact LDAP server: Operation now in progress

But I found this bugreport...
https://bugzilla.redhat.com/show_bug.cgi?id=713371#c11
Setting tls_cacertdir solves the issue for CentOS..

This is working, on CentOS, but unfortunately, not on Debian.
/etc/nslcd.conf

Code:

ldap_version 3
tls_reqcert allow
tls_cacertdir /etc/openldap/certs
tls_cacertfile /root/ca.crt
uid nslcd
gid ldap
uri ldaps://example.com/
base dc=example,dc=com

LBM · 11-05-2013, 11:22 AM

DOH! Solved!

ldapsearch -x (with TLS) was working, because I was root, and then had access to the ca.crt file! Moved the certificate to a place where everybody could read it. Now everything is working. Also with TLS_REQCERT demand. Testet with libnss-ldap and libnss-ldapd(nslcd) both together with libpam-ldap on debian, and libnss-ldapd (nslcd) on CentOS