LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-12-2009, 07:39 AM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
OpenLDAP SSL/TLS problem with pam/nss


I have an OpenLDAP server running which I am trying to get to use SSL/TLS. It works without it, but it does not work when I switch on ssl/tls.
Code:
getent passwd
returns nothing from the ldap server, and the logs show:
Code:
Jun 12 13:23:22 myhost getent: nss_ldap: failed to bind to LDAP server ldaps://ldap.mydomain.com/: Can't contact LDAP server
Jun 12 13:23:22 myhost getent: nss_ldap: could not search LDAP server - Server is unavailable
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 ACCEPT from IP=x.x.x.x:59963 (IP=0.0.0.0:636)
Jun 12 13:23:22 myhost slapd[31771]: conn=9 fd=15 closed (TLS negotiation failure)
I have set these options in ldap.conf for the nss/pam ldap modules
Code:
tls_checkpeer yes
tls_ciphers HIGH
ssl yes
tls_cacert /etc/openldap/cacerts/slapd.cert
and I have the following options in slapd.conf:
Code:
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.cert
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
I don't think that increasing debugging in slapd will help as it looks like it's the client nss and pam ldap modules that are failing to verify the certificate. Setting
Code:
tls_checkpeer no
allows the getent to work, but of course this is insecure...

The cert file and pem file are there with the right permissions, and I am testing this from the same server that slapd is running from right now, so the cacert mentioned in the ldap.conf file is there on the local filesystem too and I copied it to the right path...

So my question is, how do I go about debugging this? I cannot see any more logging information or options to increase logging for the pam/nss modules... and I don't know much about openssl in general (I know I should but I've always hated it)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dovecot SSL/TLS non-PAM config went awry molafish Linux - Software 1 03-19-2009 11:59 PM
Ubuntu 8.04 / LDAP / NSS / PAM - not sharing shadow password hence not authenticating fuzzyworm Linux - Server 5 01-01-2009 03:29 PM
OpenLDAP - Active Directory & TLS/SSL ecsjohn Linux - Software 2 05-07-2007 10:05 AM
Pam Mysql Nss server-solution Linux - Software 1 02-24-2006 10:39 AM
Trying to understand Relationship of NSS and PAM saneax Linux - General 0 09-16-2005 04:14 AM


All times are GMT -5. The time now is 07:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration