Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Martin Wegner <public [at] mroot.net>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)
Date: Tue, 19 Apr 2011 13:38:51 +0200

Hello.

We have problems to setup a LDAP server and client for user
authentication in our network.
We generated a CA and client-/user-certificates so that the LDAP server
is able to verify connecting clients and vice versa.

We are using the libnss-ldap and libpam-ldap packages.

/etc/ldap.conf has the following options set:
base dc=irmb,dc=bau,dc=tu-bs,dc=de
uri ldaps://elrond.irmb.bau.tu-bs.de
ldap_version 3
rootbinddn cn=admin,dc=irmb,dc=bau,dc=tu-bs,dc=de
port 636
pam_password sha
ssl on
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/caelrond.pem
tls_cert /etc/ssl/certs/lurtzldap.crt
tls_key /etc/ssl/private/lurtzldap.key
nss_initgroups_ignoreusers
avahi,avahi-autoipd,backup,bin,daemon,games,gnats,haldaemon,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,ntp,postfix,proxy,root,saned,sshd,statd,sync,sys,syslog,usbmux,uucp,www-data

The tls_key is only readable by root.

As far as I understand it, pam first queries the LDAP server as root and
after that queries are done with the uid of the user. The problem is
that the user has no permission to read the tls_key.

So we created a .ldaprc in the user's home directory and added a tls_key
option there with a specific key for that user to use for querying the
LDAP server:
URI ldaps://elrond.irmb.bau.tu-bs.de:636
PORT 636
TLS_CACERT /etc/ssl/certs/caelrond.pem
TLS_REQCERT demand
TLS_CERT /home/<user>/.ldap/<user>ldap.crt
TLS_KEY /home/<user>/.ldap/<user>ldap.key

The certificate and key exist and are readable by the user.

The problem is now that the tls_key option seems to be ignored in
.ldaprc although the library seems to read it.
An
$ strace -e open id
as a normal user shows that the .ldaprc is read, but it seems to have no
effect since afterwards the host certificate and key is used to query
the LDAP server anyways but the according operations give a "permission
denied", of course:
[...]
open("/home/<user>/.ldaprc", O_RDONLY|O_LARGEFILE) = 3
[...]
open("/etc/ssl/private/lurtzldap.key", O_RDONLY|O_LARGEFILE) = -1 EACCES
(Permission denied)

So why is the tls_key in .ldaprc ignored apparently? ... I'd be glad if
you could point me to what I'm missing here.

Best regards,

Martin Wegner
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04), Martin Wegner

Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04), Arthur de Jong
- Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04), Martin Wegner
  - Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04), Arthur de Jong

Prev by Date: Re: Schema to add hostname property to accounts for pam_authz_search?
Next by Date: Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)
Previous by thread: Re: Schema to add hostname property to accounts for pam_authz_search?
Next by thread: Re: Problem with libnss-ldap/libpam-ldap and TLS client-/server-verification (Ubuntu 10.04)