LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   OpenLDAP and TLS-SSL (https://www.linuxquestions.org/questions/linux-server-73/openldap-and-tls-ssl-858665/)

karlochacon 01-25-2011 07:34 PM
OpenLDAP and TLS-SSL
 
hi guys

I configured my openldap but now I want to implement SSL-TLS

This is my basic slapd.conf configuration

Code:
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
allow bind_v2
pidfile        /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
suffix          "dc=training,dc=com"
rootdn          "cn=manager,dc=training,dc=com"
rootpw          --Removed--
directory      /var/lib/ldap
index objectClass                      eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                    eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to attrs=userPassword,shadowLastChange
 by self write
 by anonymous auth
 by dn="cn=manager,dc=training,dc=com" write
 by * none
access to *
 by self write
 by dn="cn=manager,dc=training,dc=com" write
 by * read
And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login

path when I am moving certs /etc/openldap/cacerts
Code:
service ldap stop
cd /etc/openldap/
openssl genrsa -out server_key.pem 2048
chmod 440 server_key.pem
chown root.ldap server_key.pem
openssl req -new -key server_key.pem -x509 -days 3650 -out clients_cert.pem

chmod 444 clients_cert.pem
mv server_key.pem cacerts/
mv clients_cert.pem cacerts/

echo "TLSCertificateFile /.../clients_cert.pem" >> /.../slapd.conf

echo "TLSCertificateKeyFile /.../server_key.pem" >> /.../slapd.conf

echo "TLSCipherSuite HIGH" >> /...p/slapd.conf

echo "security ssf=128" >>  /.../slapd.conf
service ldap start
echo "Copying Files to LDAP Client Centos2"
rsync -av ./cacerts/clients_cert.pem centos2:/.../cacerts
As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC

On client side
I use authconfig-tui
[x] Use LDAP
[x] Use LDAP Authentication
[x] Use TLS
Server: ldap://192.168.x.x
Base DN: dc=training,dc=com/

My enviroment is Centos 5.5

what is wrong on my config?
any idea? Something I am missing?
thanks a lot

Blue_Ice 01-26-2011 10:07 AM
You have to add the following lines to slapd.conf

Code:
TLSCACertificateFile server.pem
TLSCertificateFile server.pem
TLSCertificateKeyFile server.pem
Of course, you have to replace server.pem with the certifcate that you have.

On the client side you also need to setup the certifcate, if I remember well.

Edit: Sorry missed the echo part in your script. I am not sure, but I think you add these lines at the wrong place in the file. Some things in slapd.conf have a different meaning when they are located at a different place. The best place to put these lines is before the database parameter.

Edit2: in ldap.conf (be aware there are 2 and each has a different meaning, so linking will not work) of the client you need to add to the correct parameter the certificate file.

karlochacon 02-02-2011 07:29 AM
1 Attachment(s)
I am including a new configuration in a PDF
so you can take a look (attached)
thanks a lot

Blue_Ice 02-02-2011 04:56 PM
It looks okay, but it is easy to test by setting up the ldap client tools.

karlochacon 02-02-2011 06:00 PM
Quote:
Originally Posted by Blue_Ice (Post 4246401)
It looks okay, but it is easy to test by setting up the ldap client tools.
that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt :(

Blue_Ice 02-03-2011 01:01 AM
Quote:
Originally Posted by karlochacon (Post 4246457)
that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt :(
Did you try ldapsearch on the command line?
Code:
ldapsearch -x -ZZ -W -d 'dn-of-your-user'
For this /etc/ldap/ldap.conf should be set up correctly.
The file you configure with authconfig-tui is /etc/ldap.conf. Be aware that these files are NOT the same.
You probably have to setup /etc/ldap/ldap.conf manually.


All times are GMT -5. The time now is 04:33 AM.