OpenLDAP Server Configuration error

anindyameister · 01-24-2013, 12:30 AM

I followed the guide from the below link to set up a ldap server. After everything is finished, I configured a client for ldap authentication and I can search the entries in ldap using the command ldapsearch -x ZZ but when I am trying to login to the client using a ldap user, the prompt just keeps waiting. I found the below log from the ldap server side.

Log for successful search from client side

Code:

Jan 24 11:34:00 server3 slapd[11086]: conn=1012 fd=19 ACCEPT from IP=<CLIENT-IP>:22759 (IP=0.0.0.0:389)
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=0 BIND dn="" method=128
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=0 RESULT tag=97 err=0 text=
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=1 SRCH base="<DOMAIN>" scope=2 deref=0 filter="(objectClass=*)"
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=1 SRCH attr=ZZ
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=1 SEARCH RESULT tag=101 err=0 nentries=6 text=
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 op=2 UNBIND
Jan 24 11:34:00 server3 slapd[11086]: conn=1012 fd=19 closed

Log for unsuccessful ldap user login from client side

Code:

Jan 24 11:35:23 server3 slapd[11086]: conn=1013 fd=19 ACCEPT from IP=<CLIENT-IP>:53501 (IP=0.0.0.0:389)
Jan 24 11:35:23 server3 slapd[11086]: conn=1013 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 24 11:35:23 server3 slapd[11086]: conn=1013 op=0 STARTTLS
Jan 24 11:35:23 server3 slapd[11086]: conn=1013 op=0 RESULT oid= err=0 text=

Guide Link
http://cheenu-y2k.blogspot.in/2011/0...r-configuratio

acid_kewpie · 01-24-2013, 03:08 AM

you're *searching" for ldap entries containing the string "ZZ" there, when you apparently intended to search with "-ZZ" which is the option to enforce TLS, very very different!

What do you actually want to achieve?

anindyameister · 01-24-2013, 03:17 AM

Thanks for the info chris. When I put in the -ZZ option, the same scenario of not being able to login happened. Then I removed the tls encryption and login succeeded. It seems like a problem with tls encryption. What might be the problem ??

acid_kewpie · 01-24-2013, 03:21 AM

How could we possibly say without any config from you whatsoever? Most likely guess would be that you've just not configured it at all.

anindyameister · 01-24-2013, 03:40 AM

I have done these steps for enabling tls-

1. set SLAPD_LDAPS=yes in

Code:

/etc/sysconfig/ldap

2. generate certificate and key using below command and change group of the generated files to ldap-

Code:

openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365

3. Add the certificate and key path in bdb config file-

Code:

olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

Is there something I'm missing ??

acid_kewpie · 01-24-2013, 04:52 AM

yes, lots.

SLAPD_LDAPS="yes" appears to only mean that slapd would listen on port 636, which has nothing at all to do with STARTTLS, which runs over the default port 389. And on the other side of the fence, you've created some certs, but not told anything to actually USE them.

anindyameister · 01-24-2013, 04:58 AM

How do I use the certificates then ? Sorry if I sound like a complete moron, but I am kind of a newbie, and I'm just starting to learn about linux servers.

acid_kewpie · 01-24-2013, 05:51 AM

google for "openldap starttls" and you'll get hundreds of guides about this.