[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLSVerifyClient: Basic setup works, but SSHD and su fail (SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server)

To: openldap-technical@openldap.org
Subject: Re: TLSVerifyClient: Basic setup works, but SSHD and su fail (SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server)
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 29 Aug 2008 18:06:08 +0200
Cc: Hauke Coltzau <hauke.coltzau@fernuni-hagen.de>
Content-disposition: inline
In-reply-to: <15124380.5301220021306624.JavaMail.root@knpc10>
References: <15124380.5301220021306624.JavaMail.root@knpc10>
User-agent: KMail/1.10.0 (Linux/2.6.26.3-desktop-1mnb; KDE/4.1.0; x86_64; ; )

On Friday 29 August 2008 16:48:26 Hauke Coltzau wrote:

> I want to use TLS-communication between my ldap server and
> the clients.

[...]

> Next, I activated TLSVerifyClient on the server side

Why ? You don't need this to address your single remaining problem, unless you 
haven't stated it in full.

> ==== /home/<user>/.ldaprc ====
>
>   TLS_CERT /home/<user>/openldap/<user>.ldap.cert.pem
>   TLS_KEY /home/<user>/openldap/<user>.ldap.key.pem
>
> == END /home/<user>/.ldaprc ==
>
>
> So, when I start ldapsearch -x as local user, I get a positive result as
> long as the above mentioned certificate is valid. If the user's certificate
> is not valid, ldapsearch fails. Wonderful, that's exactly what I wanted.
>
>
> But now to my problem:
>
> Since I use the ldap server for network user authentication, I can (as
> local user) make a su - <network_user>, enter the password and get
> authenticated, but have a look at the shell:
>
>   <local user>@<client>:~$ su - <network_user>
>   Password: <network user password here>
>   id: cannot find name for group ID <network_user group>
>   I have no name!@<client>:~$

Does 'strace -e open id' tell you  anything interesting (specifically about 
the key/cert)?

> Without TLSVerifyClient, this works out fine:
>
>   <local user>@<client>:~$ su - <network_user>
>   Password: <network user password here>
>   <network_user>@<client>:~$
>
> Secondly: How do I make it possible that when connecting via ssh to the
> client machine (from any other machine), I can login as <network_user>?
> Here are the details:
>
> In /etc/ldap.conf (ubuntu 8.04 uses this as replacement for
> lib(pam|nss)_ldap.conf),

Actually, Ubuntu reverts back to the upstream location, lib(pam|nss)_ldap.conf 
is a Debian-ism.

> I set the values for
>
>   tls_cert /usr/lib/ssl/certs/<client>.ldap.cert.pem
>   tls_key /usr/lib/ssl/private/<client>.ldap.key.pem

You didn't indicate any of the other /etc/ldap.conf settings, such as 
tls_cacertfile, tls_check_peer. Additionally, you don't specify if you are 
using nscd, or whether the logged in user (below) can read the tls_cert and 
tls_key files.


Regards,
Buchan

References:
- TLSVerifyClient: Basic setup works, but SSHD and su fail (SLAPD 2.4.9 and OpenSSL 0.9.8g on Ubuntu 8.04 server)
  - From: Hauke Coltzau <hauke.coltzau@FernUni-Hagen.de>

Prev by Date: Syncrepl question
Next by Date: Re: Mistake in the doc ?
Index(es):
- Chronological
- Thread