[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient: Basic setup works, but SSHD and su fail (SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server)

On Friday 29 August 2008 16:48:26 Hauke Coltzau wrote:

> I want to use TLS-communication between my ldap server and
> the clients.


> Next, I activated TLSVerifyClient on the server side

Why ? You don't need this to address your single remaining problem, unless you 
haven't stated it in full.

> ==== /home/<user>/.ldaprc ====
>   TLS_CERT /home/<user>/openldap/<user>.ldap.cert.pem
>   TLS_KEY /home/<user>/openldap/<user>.ldap.key.pem
> == END /home/<user>/.ldaprc ==
> So, when I start ldapsearch -x as local user, I get a positive result as
> long as the above mentioned certificate is valid. If the user's certificate
> is not valid, ldapsearch fails. Wonderful, that's exactly what I wanted.
> But now to my problem:
> Since I use the ldap server for network user authentication, I can (as
> local user) make a su - <network_user>, enter the password and get
> authenticated, but have a look at the shell:
>   <local user>@<client>:~$ su - <network_user>
>   Password: <network user password here>
>   id: cannot find name for group ID <network_user group>
>   I have no name!@<client>:~$

Does 'strace -e open id' tell you  anything interesting (specifically about 
the key/cert)?

> Without TLSVerifyClient, this works out fine:
>   <local user>@<client>:~$ su - <network_user>
>   Password: <network user password here>
>   <network_user>@<client>:~$
> Secondly: How do I make it possible that when connecting via ssh to the
> client machine (from any other machine), I can login as <network_user>?
> Here are the details:
> In /etc/ldap.conf (ubuntu 8.04 uses this as replacement for
> lib(pam|nss)_ldap.conf),

Actually, Ubuntu reverts back to the upstream location, lib(pam|nss)_ldap.conf 
is a Debian-ism.

> I set the values for
>   tls_cert /usr/lib/ssl/certs/<client>.ldap.cert.pem
>   tls_key /usr/lib/ssl/private/<client>.ldap.key.pem

You didn't indicate any of the other /etc/ldap.conf settings, such as 
tls_cacertfile, tls_check_peer. Additionally, you don't specify if you are 
using nscd, or whether the logged in user (below) can read the tls_cert and 
tls_key files.