[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS issue with pam_ldap/nss_ldap and openldap


Please read my question before saying this is not related to OpenLDAP.

I am setting up master and slave servers and want to make sure each of the servers can use every other server for user authentication in case the local ldap server has any problem. Also I want to use TLS for user authentication. Here is my settings for the servers:

Redhat 9
OpenSSL 0.9.7d
OpenLDAP 2.2.8

My /etc/openldap/ldap.conf is like:
BASE dc=example,dc=com
URI  ldap://master.example.com ldaps://master.example.com
URI  ldap://slave1.example.com ldaps://slave1.example.com
URI  ldap://slave2.example.com ldaps://slave2.example.com

TLS_CERT /etc/openldap/certs/server.crt
TLS_KEY /etc/openldap/certs/server.key
TLS_CACERT /etc/openldap/certs/cacert.pem

The config file /etc/ldap.conf for nss_ldap/pam_ldap is like:
host master.example.com slave1.example.com slave2.example.com
base dc=example,dc=com
ldap_version 3
timelimit 30
bind_timelimit 30
idle_timelimit 3600
ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/certs/cacert.pem
tls_ciphers TLSv1

If I specify multiple ldap servers for host in /etc/ldap.conf as above, then ldap server will start without asking passphrase for the server's
key/certificate, which would break TLS/SSL connection. If I comment out "ssl start_tls" and "ssl on" in /etc/ldap.conf, then
ldap server starts just fine with asking for passphrase and TLS/SSL works again; Or if I just specify one host, the server host itself,
then everything works just fine.

Now my question is that OpenLDAP is supposed to not read or care about /etc/ldap.conf, why the different setting in /etc/ldap.conf causes slapd behaves differently? does it mean OpenLDAP does depend on /etc/ldap.conf?

Another question is that is it enough to just set TLS/SSL in slapd.conf and the ldap.conf for ldap server? Without "ssl starttls" in
/etc/ldap.conf, will the authentication process automatically use TLS once set in slapd.conf and /etc/openldap/ldap.conf?

Simon Gao