lists.arthurdejong.org
RSS feed

Re: nslcd with tls

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd with tls



On Thu, 2012-07-26 at 11:02 +0200, Cieslak, Andreas wrote:
> Here are the tls-settings from my nslcd.conf:
> 
> ssl start_tls
> tls_cert /etc/ssl/certs/slapd.pem
> tls_key /etc/ssl/private/slapd.key
> tls_cacertdir /etc/ssl/certs
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> tls_reqcert try

The key and cert are probably from the server side, not the client
(nslcd) side so should probably not be loaded into nslcd (unless you use
client side certificates). In any case it is not advisable to share the
same key between the server and client.

> The certs work already with other services (mail, etc.) and have
> permissions like 644 and 640 for the key-file.
> 
> The user openldap is in the group ssl-cert.

The problem is probably that the key file isn't readable by nslcd and
that is where the Permission denied error is from. Assuming that the
slapd.key is group-owned by openldap, nslcd can't read it.

Also, nslcd doesn't load secondary groups on start-up so adding the
nslcd user to the openldap group doesn't help (this last part was
recently changed in the development repository but not yet released).

You should probably generate a new nslcd client key and get a
certificate for that one. You can set the permissions on that one to
ensure that only nslcd can open it.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/