Re: nslcd with tls

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: nslcd with tls
Date: Thu, 26 Jul 2012 14:58:52 +0200

On Thu, 2012-07-26 at 11:02 +0200, Cieslak, Andreas wrote:
> Here are the tls-settings from my nslcd.conf:
> 
> ssl start_tls
> tls_cert /etc/ssl/certs/slapd.pem
> tls_key /etc/ssl/private/slapd.key
> tls_cacertdir /etc/ssl/certs
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> tls_reqcert try

The key and cert are probably from the server side, not the client
(nslcd) side so should probably not be loaded into nslcd (unless you use
client side certificates). In any case it is not advisable to share the
same key between the server and client.

> The certs work already with other services (mail, etc.) and have
> permissions like 644 and 640 for the key-file.
> 
> The user openldap is in the group ssl-cert.

The problem is probably that the key file isn't readable by nslcd and
that is where the Permission denied error is from. Assuming that the
slapd.key is group-owned by openldap, nslcd can't read it.

Also, nslcd doesn't load secondary groups on start-up so adding the
nslcd user to the openldap group doesn't help (this last part was
recently changed in the development repository but not yet released).

You should probably generate a new nslcd client key and get a
certificate for that one. You can set the permissions on that one to
ensure that only nslcd can open it.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nslcd with tls, Cieslak, Andreas
- Re: nslcd with tls, Arthur de Jong

Prev by Date: nslcd with tls
Next by Date: AW: nslcd with tls
Previous by thread: nslcd with tls
Next by thread: AW: nslcd with tls