[Date Prev][Date Next]
Re: Enforce remote SSL/TLS
On 23/11/11 17:06 +0100, Kasper Loopstra wrote:
We are using PAM to authenticate posixUsers against OpenLDAP. This
works great, and allows 'local' (ssh) logins. However, we also use
LDAP for a number of other services, including remote access and
editing via other software. This means we would like to keep our
users passwords as secure as possible, and enforce encrypted logins
for all remote hosts. However, PAM should still be able to
authenticate. The manner of encryption is not really important, it
just has to be strong enough to be useful over the internet, and
usable for all (or most) clients.
We have tried various solutions with ssf directives in
/etc/ldap/slapd.conf as well as the security tls=1 directive. All of
these attempts broke PAM.
Which PAM ldap module are you using? with PADL's module, you'd want to
configure 'ssl on' (for ldaps:///) or 'ssl starttls' (for starttls over
ldap:///) and also configure the tls_* settings appropriately.
For your slapd configuration, see the slapd.conf manpage - the TLS*
options, as well as the 'security' option. If you are wishing to perform
secure connections over ldaps:///, verify that in your slapd init script,
that you are passing 'ldaps:///' as one of your '-h' command line