LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-25-2011, 07:34 PM   #1
karlochacon
Member
 
Registered: Dec 2006
Posts: 107

Rep: Reputation: 17
OpenLDAP and TLS-SSL


hi guys

I configured my openldap but now I want to implement SSL-TLS

This is my basic slapd.conf configuration

Code:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database        bdb
suffix          "dc=training,dc=com"
rootdn          "cn=manager,dc=training,dc=com"
rootpw          --Removed--
directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
access to attrs=userPassword,shadowLastChange
 by self write
 by anonymous auth
 by dn="cn=manager,dc=training,dc=com" write
 by * none
access to *
 by self write
 by dn="cn=manager,dc=training,dc=com" write
 by * read
And I created this script (simple I know) to create this TLS/SSL Config but it won't work users cannot login

path when I am moving certs /etc/openldap/cacerts
Code:
service ldap stop
cd /etc/openldap/
openssl genrsa -out server_key.pem 2048
chmod 440 server_key.pem
chown root.ldap server_key.pem
openssl req -new -key server_key.pem -x509 -days 3650 -out clients_cert.pem

chmod 444 clients_cert.pem
mv server_key.pem cacerts/
mv clients_cert.pem cacerts/

echo "TLSCertificateFile /.../clients_cert.pem" >> /.../slapd.conf

echo "TLSCertificateKeyFile /.../server_key.pem" >> /.../slapd.conf

echo "TLSCipherSuite HIGH" >> /...p/slapd.conf

echo "security ssf=128" >>  /.../slapd.conf
service ldap start
echo "Copying Files to LDAP Client Centos2"
rsync -av ./cacerts/clients_cert.pem centos2:/.../cacerts
As you see I create the key and certificate, assign permissions, add stuff to slapd.conf and finally copy thecer to a client PC

On client side
I use authconfig-tui
[x] Use LDAP
[x] Use LDAP Authentication
[x] Use TLS
Server: ldap://192.168.x.x
Base DN: dc=training,dc=com/

My enviroment is Centos 5.5

what is wrong on my config?
any idea? Something I am missing?
thanks a lot

Last edited by karlochacon; 01-26-2011 at 08:00 AM.
 
Old 01-26-2011, 10:07 AM   #2
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
You have to add the following lines to slapd.conf

Code:
TLSCACertificateFile server.pem 
TLSCertificateFile server.pem 
TLSCertificateKeyFile server.pem
Of course, you have to replace server.pem with the certifcate that you have.

On the client side you also need to setup the certifcate, if I remember well.

Edit: Sorry missed the echo part in your script. I am not sure, but I think you add these lines at the wrong place in the file. Some things in slapd.conf have a different meaning when they are located at a different place. The best place to put these lines is before the database parameter.

Edit2: in ldap.conf (be aware there are 2 and each has a different meaning, so linking will not work) of the client you need to add to the correct parameter the certificate file.

Last edited by Blue_Ice; 01-26-2011 at 10:14 AM.
 
Old 02-02-2011, 07:29 AM   #3
karlochacon
Member
 
Registered: Dec 2006
Posts: 107

Original Poster
Rep: Reputation: 17
I am including a new configuration in a PDF
so you can take a look (attached)
thanks a lot
Attached Files
File Type: pdf User connected without SSL.pdf (162.5 KB, 3 views)
 
Old 02-02-2011, 04:56 PM   #4
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
It looks okay, but it is easy to test by setting up the ldap client tools.
 
Old 02-02-2011, 06:00 PM   #5
karlochacon
Member
 
Registered: Dec 2006
Posts: 107

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by Blue_Ice View Post
It looks okay, but it is easy to test by setting up the ldap client tools.
that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt
 
Old 02-03-2011, 01:01 AM   #6
Blue_Ice
Member
 
Registered: Jul 2006
Location: Belgium
Distribution: Debian, Fedora, CentOS, Windows
Posts: 352

Rep: Reputation: Disabled
Quote:
Originally Posted by karlochacon View Post
that's what I am tying to do but but as you see when I enable [x]TLS using authconfig-tui in Centos 5.5 Clients they do not connect like I said I never get the password prompt
Did you try ldapsearch on the command line?
Code:
ldapsearch -x -ZZ -W -d 'dn-of-your-user'
For this /etc/ldap/ldap.conf should be set up correctly.
The file you configure with authconfig-tui is /etc/ldap.conf. Be aware that these files are NOT the same.
You probably have to setup /etc/ldap/ldap.conf manually.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ip_conntrack_ftp and SSL / TLS Al_ Linux - Security 9 10-02-2009 02:37 PM
OpenLDAP SSL/TLS problem with pam/nss humbletech99 Linux - Server 0 06-12-2009 07:39 AM
OpenLDAP - Active Directory & TLS/SSL ecsjohn Linux - Software 2 05-07-2007 10:05 AM
apache SSL/TLS overlord73 Linux - Security 3 05-12-2005 05:53 AM
SSL vs. TLS X11 Linux - Security 8 12-17-2002 03:39 PM


All times are GMT -5. The time now is 09:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration