LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > Linux - Certification
User Name
Password
Linux - Certification This forum is for the discussion of all topics relating to Linux certification.

Notices


Reply
  Search this Thread
Old 05-20-2017, 01:59 PM   #1
adiemme
LQ Newbie
 
Registered: May 2017
Posts: 4

Rep: Reputation: Disabled
[RHCSA] LDAP server installation using SSL.


Hello everybody,

I am setting up a virtual environment where i can play with and so prepare myself for the RHCSA certification exam.

The thing is that i am currently doing the sample exams on the end of my book (A. Ghori).

Where i am struggling with is the step where it says:

"Use dc=example,dc=com, and LDAP server vm2.example.com with a certificate sitting in /etc/openldap/cacerts to allow ldapuser1 to be able to log on to rhcsa2"

Now, on the server side, i have already set up everything, so LDAP works. The part i am struggling with is the SSL part.

Basically, i have created the CA and the server certificates.
In order to create the certificates i have used easy-rsa.

Code:
[root@hypervisor-s1 keys]# openssl verify -CAfile ca.crt hypervisor-s1.crt 
hypervisor-s1.crt: OK

Then, after i have run on the client machine:
[root@rhcsa2 certs]# authconfig --enableldap --enableldapauth --ldapserver='ldaps://hypervisor-s1' --ldapbasedn='dc=domain,dc=local' --update
Code:
I have copied the ca.crt:
[root@hypervisor-s1 keys]# scp ca.crt 192.168.0.201:/etc/openldap/cacerts/

But the problem is that nlscd complains:
[root@rhcsa2 certs]# systemctl status nslcd -l
● nslcd.service - Naming services LDAP client daemon.
   Loaded: loaded (/usr/lib/systemd/system/nslcd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2017-05-20 20:42:20 CEST; 13min ago
  Process: 18123 ExecStart=/usr/sbin/nslcd (code=exited, status=0/SUCCESS)
 Main PID: 18124 (nslcd)
   CGroup: /system.slice/nslcd.service
           └─18124 /usr/sbin/nslcd

May 20 20:42:26 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://hypervisor-s1: Can't contact LDAP server: TLS error -5938:Encountered end of file: Operation now in progress
May 20 20:42:26 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
May 20 20:42:27 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://hypervisor-s1: Can't contact LDAP server: TLS error -5938:Encountered end of file: Operation now in progress
May 20 20:42:27 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
May 20 20:42:28 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://hypervisor-s1: Can't contact LDAP server: TLS error -5938:Encountered end of file: Operation now in progress
May 20 20:42:28 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
May 20 20:42:29 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://hypervisor-s1: Can't contact LDAP server: TLS error -5938:Encountered end of file: Operation now in progress
May 20 20:42:29 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> no available LDAP server found, sleeping 1 seconds
May 20 20:42:30 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> failed to bind to LDAP server ldaps://hypervisor-s1: Can't contact LDAP server: TLS error -5938:Encountered end of file: Operation now in progress
May 20 20:42:30 rhcsa2 nslcd[18124]: [8b4567] <passwd(all)> no available LDAP server found: Can't contact LDAP server: Transport endpoint is not connected

Here are the configs:

[root@rhcsa2 ~]# cat /etc/openldap/ldap.conf | grep -vE '^#|^$'
TLS_CACERTDIR /etc/openldap/cacerts
SASL_NOCANON    on
URI ldaps://hypervisor-s1
BASE dc=domain,dc=local

[root@rhcsa2 ~]# cat /etc/nslcd.conf | grep -vE '^#|^$'
uid nslcd
gid ldap
uri ldaps://hypervisor-s1
base dc=domain,dc=local
tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/ca.crt
ssl no
I know that i could just skip the validation and then it would work, but since i am simulating the exam, i would like to stick to it.

Cheers,

Last edited by onebuck; 05-20-2017 at 07:12 PM. Reason: clean up post with code tags
 
Old 05-20-2017, 03:25 PM   #2
adiemme
LQ Newbie
 
Registered: May 2017
Posts: 4

Original Poster
Rep: Reputation: Disabled
And turns out it was a permissions issue :/
chown -R ldap. /etc/openldap/*

Has resolved my issue.

So ashamed.
 
Old 05-20-2017, 07:09 PM   #3
onebuck
Moderator
 
Registered: Jan 2005
Location: Summer Midwest USA, Central Illinois, Winter Central Florida
Distribution: SlackwareŽ
Posts: 13,365
Blog Entries: 31

Rep: Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548Reputation: 2548
Moderator response

In the future, please consider using code tags for data presentations. The # sign (at the top of the reply window) is for code while the quote (balloon icon to the left of #) for quoting.

That way your posts will be cleaner therefore easier to read.
Please consider reading the following to aid you when creating a post; http://www.linuxquestions.org/questi...#faq_lqwelcome
 
Old 05-23-2017, 09:27 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175Reputation: 3175
Very good. You set up a realistic scenario, ran into one of several common issues, and solved it yourself. Thanks for sharing.

Now, go do more and more and more of this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
AIX LDAP client authenticate against Linux Openldap server over TLS/SSL gnu699 AIX 4 01-16-2016 07:04 AM
sudo: Can't contact LDAP server with SSL and PAM sebastienliu Linux - Server 1 01-15-2013 12:02 AM
PAM LDAP: Kerberos vs SSL (LDAP SSL) wilslm Red Hat 3 04-22-2011 08:50 AM
LDAP SSL and Non-SSL port open? your_shadow03 Linux - Newbie 3 01-14-2010 05:57 PM
Contacting LDAP server fails under load when using LDAPS (ssl) kingbolete Linux - Server 0 09-05-2008 10:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General > Linux - Certification

All times are GMT -5. The time now is 09:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration