[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS LDAP Configuration w/Linux 5.0



Hello,
 
Info as follows:
 
OS: RH Enterprise Server 5.1
Server Certificates: Created using a Common Name of "S80.com"
Client Certificate: Copied "cacert.pem" from the server and placed into "/etc/openldap/cacerts/"
 
Problem: When configuring TLS to work with LDAP I'm no longer able to login from a client via LDAP. LDAP works normal when TLS is not configured. Suspect possible configuration problem. I'd appreciate any additional information. Thanks.
 
CLIENT /ETC/LDAP.CONF

# The distinguished name of the search base.
base dc=S80,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600

# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

bind_policy soft
uri ldaps://192.168.10.1/
ssl start_tls
TLS_CACERT /etc/openldap/cacerts/cacert.pem
pam_password md5

CLIENT /ETC/OPENLDAP/LDAP.CONF

URI ldaps://192.168.10.1/
BASE dc=S80,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem

SERVER /ETC/OPENLDAP/SLAPD.CONF

TLSCACertificateFile /var/certs/cacert.pem
TLSCertificateFile /var/certs/servercrt.pem
TLSCertificateKeyFile /var/certs/serverkey.pem

database           ldbm
suffix                 "dc=S80,dc=com"
rootdn               "cn=Administrator,dc=S80,dc=com"
USED THE FOLLOWING COMMANDS (Did not observe ldaps port 636 being opened. Not sure if it's necessary due to start_tls on port 389)
 

slapd -h "ldap:/// ldaps:///"
nmap 192.168.10.1

PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
389/tcp  open  ldap
617/tcp  open  sco-dtmgr
650/tcp  open  unknown
722/tcp  open  unknown
2049/tcp open  nfs

AMPLIFYING DATA
 
No errors occur using "ldapsearch -x 'uid=jmathis' -H ldap://192.168.10.1"
 
Errors observed using:
 

ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1
ldap_bind: Can't contact LDAP server (-1)

ldapsearch -x -b 'dc=S80,dc=com' -ZZ
ldap_start_tls: Can't contact LDAP server (-1)