[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: Re: [SOLVED] Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read



Hi again,

man, I mixed up a lot of things ...

Hope, I finally understand what I did wrong:

Ubuntu 8.04 creates a huge /etc/ldap.conf as a
substitute for libnss_ldap.conf and libpam_ldap.conf.
I misunderstood this file to be the LDAP client
configuration, which it is obviously not. Instead,
it's the configuration for libnss-ldap and libpam-ldap.

In some wiki article, I read that it would be o.k.
to softlink /etc/ldap/ldap.conf to /etc/ldap.conf
to have a fewer number of configuration files. I
did that and forgot to mention in my first mail.

That's why I used keywords like tls_cacertfile and others,
because that's just the way those parameters are called
in that file.

I hope to be smarter next time ;-)

So, what I did now:
I created a new /etc/ldap/ldap.conf with only
a few entries:

===== /etc/ldap/ldap.conf =====

BASE dc=...
URI ldaps://<fqdn>/
TLS_REQCERT yes
TLS_CACERT /usr/lib/ssl/cacerts/<ca>.chain.crt

=== END /etc/ldap/ldap.conf ===

after that, ldapsearch -x was successful.

Then I re-installed libnss/libpam-ldap and
set the neccessary nss/pam values in the
auto-generated /etc/ldap.conf. Finally,
I adapted common-* in /etc/pam.d/ and getent passwd,
id <user> and su worked the way I wanted them to.

I still have a problem with TLSVerifyClient demand,
but that's something for another thread and only
after some more reading and testing ;-)

Thanks again for your help, I learned a lot :-)

Best regards,

Hauke




----- UrsprÃngliche Mail -----
Von: "Buchan Milne" <bgmilne@staff.telkomsa.net>
An: openldap-technical@openldap.org
CC: hyc@symas.com, "Hauke Coltzau" <hauke.coltzau@FernUni-Hagen.de>
Gesendet: Donnerstag, 28. August 2008 13:31:58 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: [SOLVED] Re: SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server - client certificate not read

On Thursday 28 August 2008 12:28:25 Hauke Coltzau wrote:
> Hi everybody,
>
> thank you all for your immediate replies.
>
> As you correctly pointed out, the options I used were wrong.
> With following ldap.conf, everything works out fine.
>
>   base dc=...
>   URI ldaps://<fqdn of ldap server>/
>   ldap_version 3
>   rootbinddn cn=...
>   bind_policy soft
>   pam_password md5
>
>   TLS_REQCERT yes
>   TLS_CACERT /usr/lib/ssl/certs/<ca>.chain.crt
>
> The ldap.conf I used before has been created by dpkg-reconfigure
> and I simply changed the default values there. That was a mistake ;-)
> Creating a new ldap.conf from scratch with a man-page at hand
> obviously did the trick.

You still seem to be confused between different ldap.conf files, bind_policy, 
pam_password etc. are not valid in the OpenLDAP ldap.conf file, most likely 
one belongs in /etc/libnss_ldap.conf and the the other in 
/etc/libpam_ldap.conf (on Debian-based systems, or /etc/ldap.conf on distros 
that use the default config file location for nss_ldap/pam_ldap as shipped 
upstream).

While you may have a working configuration, it may be more  by luck than good 
judgement.

Regards,
Buchan


-- 
------------------------------------
      FernuniversitÃt in Hagen
   Lehrgebiet Kommunikationsnetze
   http://www.fernuni-hagen.de/kn

 Fon/Fax: +49 2331 987 -1142 / -353
------------------------------------