[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap - SSL/TLS - authentification unix




Hi,



I want authenticate my users when they are loging on a station linux
I use pam_ldap and nss_ldap (the tarball not the package), openldap
2.1.17, openssl 0.9.7 and debian 3.0

I start the server ldap with : 
	slapd -h "ldap://127.0.0.1:389 ldaps://127.0.0.1:636"

In the file : var/log/auth.log, I have this lines

Aug 14 10:56:43 squid login[7986]: pam_ldap:
ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): Unknown error
Aug 14 10:56:43 squid login[7986]: pam_ldap: _set_ssl_default_options
failed
Aug 14 10:56:43 squid login[7986]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Aug 14 10:56:45 squid login[7986]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Aug 14 10:56:45 squid PAM_unix[7986]: (login) session opened for user
root by (uid=0)
Aug 14 10:56:45 squid login[7986]: ROOT LOGIN on `pts/4' from
`XXX.XXX.XX.X'


Have you an idea why it don't work ? (I have no log about the ldap
server)

thanks

Philippe


Ldap.conf file :
****************

host XXX.XXX.XXX.XXX
base dc=XXXXX,dc=XXX
uri ldap://127.0.0.1/
uri ldaps://127.0.0.1/
binddn cn=Root,dc=XXXX,dc=XXX
bindpw XXXX
#rootbinddn cn=manager,dc=padl,dc=com
port 636
scope sub
(...)
# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
ssl yes

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /opt/certificate/certificat_signe_autorite/ca.crt   

#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key



slapd.conf file :
*****************

(...)
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /opt/certificate/certificat_serveur/server.crt
TLSCertificateKeyFile /opt/certificate/clef_serveur/server.key
TLSCACertificateFile /opt/certificate/certificat_signe_autorite/ca.crt
TLSVerifyClient never
(...)