[Fedora-directory-users] Setting up a Debian client for ssl

Steven Jones Steven.Jones at vuw.ac.nz
Mon Sep 17 17:55:09 UTC 2007 

My /etc/ldap.conf now looks like this,

# http://www.padl.com
URI     ldap://ldap.vuw.ac.nz
#host 130.195.87.249
base dc=vuw,dc=ac,dc=nz
#ssl no
#ssl on
pam_password md5
#HOST 130.195.87.249
BASE dc=vuw,dc=ac,dc=nz
#tls_cacertdir /etc/openldap/cacerts
tls_cacertfile /etc/openldap/cacerts/ca.crt
#TLS_REQCERT allow
TLS_REQCERT never
host ldap.vuw.ac.nz
ssl start_tls

When I do,

[root at vuwunicvfwall01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=jonesst1)
# requesting: ALL
#
 
# jonesst1, People, vuw.ac.nz
dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz
givenName: Steven
sn: Jones
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: jonesst1
cn: Steven Jones
homeDirectory: /home/jonesst1
 
# search result
search: 3
result: 0 Success
 
# numResponses: 2
# numEntries: 1
[root at vuwunicvfwall01 etc]#

Log file shows,

[root at vuwunicvfdsm001 logs]# tail -f access
[18/Sep/2007:05:46:37 +1200] conn=2326 fd=70 slot=70 connection from
130.195.87.250 to 130.195.87.249
[18/Sep/2007:05:46:37 +1200] conn=2326 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[18/Sep/2007:05:46:37 +1200] conn=2326 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[18/Sep/2007:05:46:37 +1200] conn=2326 SSL 256-bit AES
[18/Sep/2007:05:46:37 +1200] conn=2326 op=1 BIND dn="" method=128
version=3
[18/Sep/2007:05:46:37 +1200] conn=2326 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/Sep/2007:05:46:37 +1200] conn=2326 op=2 SRCH
base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL
[18/Sep/2007:05:46:37 +1200] conn=2326 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[18/Sep/2007:05:46:37 +1200] conn=2326 op=3 UNBIND
[18/Sep/2007:05:46:37 +1200] conn=2326 op=3 fd=70 closed - U1

However ssh no longer works.

The access log shows (it has "startTLS", which I guess is good),

[18/Sep/2007:05:49:27 +1200] conn=2327 op=-1 fd=70 closed - Encountered
end of file.
[18/Sep/2007:05:49:52 +1200] conn=2328 fd=70 slot=70 connection from
130.195.87.250 to 130.195.87.249
[18/Sep/2007:05:49:52 +1200] conn=2328 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[18/Sep/2007:05:49:52 +1200] conn=2328 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[18/Sep/2007:05:50:00 +1200] conn=2329 fd=71 slot=71 connection from
127.0.0.1 to 127.0.0.1
[18/Sep/2007:05:50:00 +1200] conn=2329 op=0 BIND dn="" method=128
version=3
[18/Sep/2007:05:50:00 +1200] conn=2329 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/Sep/2007:05:50:00 +1200] conn=2329 op=1 SRCH
base="dc=vuw,dc=ac,dc=nz" scope=2
filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL
[18/Sep/2007:05:50:00 +1200] conn=2329 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[18/Sep/2007:05:50:00 +1200] conn=2329 op=2 SRCH
base="dc=vuw,dc=ac,dc=nz" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber"
[18/Sep/2007:05:50:00 +1200] conn=2329 op=2 RESULT err=0 tag=101
nentries=0 etime=0
[18/Sep/2007:05:50:00 +1200] conn=2329 op=-1 fd=71 closed - B1
[18/Sep/2007:05:50:01 +1200] conn=2330 fd=71 slot=71 connection from
130.195.87.250 to 130.195.87.249
[18/Sep/2007:05:50:01 +1200] conn=2330 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[18/Sep/2007:05:50:01 +1200] conn=2330 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[18/Sep/2007:05:50:01 +1200] conn=2330 op=-1 fd=71 closed - Encountered
end of file.
[18/Sep/2007:05:50:01 +1200] conn=2331 fd=71 slot=71 connection from
130.195.87.246 to 130.195.87.249
[18/Sep/2007:05:50:01 +1200] conn=2331 op=0 BIND dn="" method=128
version=3
[18/Sep/2007:05:50:01 +1200] conn=2331 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/Sep/2007:05:50:01 +1200] conn=2331 op=1 SRCH
base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2
filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL
[18/Sep/2007:05:50:01 +1200] conn=2331 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[18/Sep/2007:05:50:01 +1200] conn=2331 op=2 SRCH
base="ou=Groups,dc=vuw,dc=ac,dc=nz" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber"
[18/Sep/2007:05:50:01 +1200] conn=2331 op=2 RESULT err=32 tag=101
nentries=0 etime=0
[18/Sep/2007:05:50:01 +1200] conn=2331 op=-1 fd=71 closed - B1

regards

Steven Jones
Senior  Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, 18 September 2007 2:01 a.m.
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl

Steven Jones wrote:
> This is my pam_ldap.conf,
>
> I seem unable to get ssl to work....what am I missing?
>
> I also need to set ssl only so no plain text passwords are sent...
>
> #file copied from openldap syntax might have issues but seems to work.
> #but not in ssl mode
> #
> #
> # LDAP Defaults
> #
>

> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> host 130.195.87.249
> base dc=vuw,dc=ac,dc=nz
> #ssl no
> # this syntax does not work --> ssl on
> ssl yes
> ssl start_tls
> pam_password exop
> #pam_password md5
> HOST 130.195.87.249
> BASE dc=vuw,dc=ac,dc=nz
> #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz
> #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz
> TLS_CACERTDIR /etc/openldap/cacerts/
> TLS_CACERT /etc/openldap/cacerts/cacert.asc
> #TLS_CACERT /etc/openldap/cacerts/5be5959f.0
> TLS_REQCERT allow
> #syntax not liked --> uri ldapi://130.195.87.249
> URI ldap://ldap.vuw.ac.nz
>   
To rule out cert CA issues, set TLS_REQCERT to never.

I don't think you can specify both TLS_CACERTDIR and TLS_CACERT - or 
maybe you can, but I always have problems when trying to use
TLS_CACERTDIR
> regards
>
> Steven Jones
> Senior  Linux/Unix/San/Vmware System Administrator
> APG -Technology Integration Team
> Victoria University of Wellington
> Phone: +64 4 463 6272
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list