[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLSVerifyClient: Basic setup works, but SSHD and su fail (SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server)



Hi everybody,

hope, this is still the right group for my question, might also
be a lib{pam|nss}_ldap problem.

I am very happy to say that I have an almost completely running
installation now. But one single problem still remains:

I want to use TLS-communication between my ldap server and
the clients. I started up with an own RootCA, created 2
SubCAs (one for server certs, one for user certs) and generated
a certificate for my server, signed by the ServerCA.

On client side, I have set

==== /etc/ldap/ldap.conf ====

  BASE dc=...

  URI ldaps://<fqdn>/

  # Require valid cert from server
  TLS_REQCERT yes

  # CA for trusted server certs
  TLS_CACERT /usr/lib/ssl/cacerts/<serverca>.chain.pem

== END /etc/ldap/ldap.conf ==

This works out perfectly, as I can see using a
paket sniffer. The client only communicates with the server
using TLSv1 and only if the server's certificate is valid.

Next, I activated TLSVerifyClient on the server side

==== /etc/ldap/slapd.conf ====

  ...
  # The CA chain for valid client certs
  TLSCACertificateFile /usr/lib/ssl/cacerts/<userca>.chain.pem

  # The server's cert
  TLSCertificateFile /usr/lib/ssl/certs/<server>.cert.pem

  # The server's key
  TLSCertificateKeyFile /usr/lib/ssl/private/<server>.key.pem

  # Verify clients always
  TLSVerifyClient demand 
  
== END /etc/ldap/slapd.conf ==

and created a client cert without password for my local client user, signed by
the UserCA. This cert and the according key are referenced in the (local)
users .ldaprc on the client machine:

==== /home/<user>/.ldaprc ====

  TLS_CERT /home/<user>/openldap/<user>.ldap.cert.pem
  TLS_KEY /home/<user>/openldap/<user>.ldap.key.pem

== END /home/<user>/.ldaprc ==


So, when I start ldapsearch -x as local user, I get a positive result as long
as the above mentioned certificate is valid. If the user's certificate
is not valid, ldapsearch fails. Wonderful, that's exactly what I wanted.


But now to my problem:

Since I use the ldap server for network user authentication, I can (as
local user) make a su - <network_user>, enter the password and get
authenticated, but have a look at the shell:

  <local user>@<client>:~$ su - <network_user> 
  Password: <network user password here>
  id: cannot find name for group ID <network_user group>
  I have no name!@<client>:~$

Without TLSVerifyClient, this works out fine:

  <local user>@<client>:~$ su - <network_user> 
  Password: <network user password here>
  <network_user>@<client>:~$ 

Secondly: How do I make it possible that when connecting via ssh to the client
machine (from any other machine), I can login as <network_user>? Here are the
details:

In /etc/ldap.conf (ubuntu 8.04 uses this as replacement for lib(pam|nss)_ldap.conf),
I set the values for

  tls_cert /usr/lib/ssl/certs/<client>.ldap.cert.pem
  tls_key /usr/lib/ssl/private/<client>.ldap.key.pem

The certificate has been signed by the same CA as the above user
certificate. The CN is the name of the host (not fqdn, that is, just the
hostname).

But when I try to login via ssh, quits the connection saying

  slapd -d127 -h "ldaps:///" -u openldap -g openldap

  ...
  TLS: can't accept: The peer did not send any certificate..
  connection_read(12): TLS accept failure error=-1 id=0, closing
  ...


Whithout TLSVerifyClient, I can login.

I assume that both problems have the same background, but I just don't get
it.

Hope, this time I didn't miss reading a manual again ;-)

Best regards,

Hauke

--