1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Rep Power

    Issues with LDAP over TLS/SSL

    Hello everyone.

    I got some problems with ldap when I try to use TLS encryption.

    Here's what I have:
    - a ubunutu server 12.04 (with the ldap server configured)
    - a unix remote client on another machine (ubuntu server)
    - a windows remote client on an other machine (windows 7)

    My Ubuntu server is behind a firewall
    the machine are outside the network
    I added a rule to reach the ldap server through the firewall on port 389.

    So below how I configured my ldap server:
    *** in /etc/resolv.conf
    nameserver <adress_firewall>
    search <domain.com>

    *** /etc/hosts localhost
    192.168.X.X ldap.domain.com

    *** >>hostname

    ***I added those lines to /etc/ldap/slapd.d/cn=config/olcDatabase{1}.ldif
    olcSuffix : dc=domain,dc=com
    olcRootDN: cn=admin,dc=domain,dc=com
    olcRootPW: <password encrypted>

    *** I use phpldapadmin to fill my base and create users account

    *** /etc/ldap/ldap.conf
    BASE dc=domain,dc=com
    URI ldap://192.168.X.X

    base dc=domain,dc=com
    uri ldap://ldap.domain.com
    ldap_version 3
    pam_password md5
    nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,messagebus,news,openldap,proxy, root,sshd,sync,sys,syslog,uucp,whoopsie,www-data

    *** /etc/nsswitch.conf
    passwd: compat ldap
    group: compat ldap
    shadow: compat ldap
    hosts: files dns
    networks: files
    protocols: db files
    services: db files
    ethers: db files
    rpc: db files
    netgroup: nis

    *** then i modified the files in /etc/pam.d/ starting with common- as in a site I found

    From here I successfully authenticate with a client on the server.
    It used to work from a remote client (where I modifed /etc/ldap.conf, /etc/nsswitch.conf, /etc/pam.d/common- files as before). But now eventhough I authenticate, I get these messages
    -bash /home/<client>/.profile : permission denied (at login)
    -bash /home/<client>/.bash_logout : permission denied (at logout)

    But the worst part is when I try to use TLS encryption.
    (the certificates are auto-signed, created by certtool)
    I just added those lines:
    *** in /etc/ldap.conf
    ssl start_tls
    tls_cacert /etc/ssl/certs/cacert.pem
    tls_cert /etc/ssl/certs/ldap_cert.pem
    tls_key /etc/ssl/private/ldap_key.pem

    *** in /etc/ldap/ldap.conf
    TLS_CACERT /etc/ssl/certs/cacert.pem

    *** in /etc/ldap/slapd.d/cn=config.ldif
    olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
    olcTLSCertificateFile: /etc/ssl/certs/ldap_cert.pem
    olcTLSCertificateKeyFile: /etc/ssl/private/ldap_key.pem

    but when I login with a user from the server I get this " I have no name!@ldap" instead of "<client>@ldap"

    In /var/log/auth.log I have this:
    pam_unix(login:session): session opened for user utest by randco(uid=0)
    nss_ldap: reconnecting to LDAP server...
    nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
    nss_ldap: could not search LDAP server - Server is unavailable
    pam_unix(login:session): session closed for user utest

    And it fails from the remote client

    You are my last hope.
    I hope you can help me :/

    Thanks in advance
    And if you need anymore details just ask
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Rep Power
    Sorry but I really need help for this

IMN logo majestic logo threadwatch logo seochat tools logo