I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client. My ldap.conf content is below
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt TLS_CACERTDIR /etc/openldap/cacerts
I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS. The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains the server certificate sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem. I am not sure whether this pem file should be that of the server or the client. Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server? Could anyone please describe the basic essential steps in configuring LDAP client with TLS (without necessarily including the commands). (Several guides suggest changing configs at several places (like, pam_ldap.con, auth.conf) etc. But centOS documentation on LDAP describes configuration only for the ldap.conf (which I couldn’t follow completely).)
/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu -d -1
ldap_extended_operation_s ldap_send_initial_request ldap_new_connection 1 1 0 ldap_connect_to_host: Trying 10.71.31.15:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ber_dump: buf=0x15ea5b0 ptr=0x15ea5b0 end=0x15ea5cf len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_dump: buf=0x15ea5b0 ptr=0x15ea5b5 end=0x15ea5cf len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x15e1090 msgid 1 wait4msg ld 0x15e1090 msgid 1 (infinite timeout) wait4msg continue ld 0x15e1090 msgid 1 all 1 ** ld 0x15e1090 Connections: refcnt: 2 status: Connected last used: Tue Oct 20 20:50:52 2015 ** ld 0x15e1090 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x15e1090 request count 1 (abandoned 0) ** ld 0x15e1090 Response Queue: ld 0x15e1090 response count 0 ldap_chkResponseList ld 0x15e1090 msgid 1 all 1 ldap_chkResponseList returns ld 0x15e1090 NULL read1msg: ld 0x15e1090 msgid 1 all 1 0000: 30 0c 02 01 01 78 07 0a 0....x.. 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x15eba20 ptr=0x15eba20 end=0x15eba2c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x15e1090 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x15e1090 0 new referrals read1msg: mark request completed, ld 0x15e1090 msgid 1 request done: ld 0x15e1090 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt ({iAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_dump: buf=0x15eba20 ptr=0x15eba2c end=0x15eba2c len=0 TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt. TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file. TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error.. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_start_tls: Connect error (-11) ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed
|