lists.arthurdejong.org
RSS feed

AW: nslcd with tls

[Date Prev][Date Next] [Thread Prev][Thread Next]

AW: nslcd with tls



Thanks Arthur.
I had the server certs and key-entries in the nslcd.conf of the client-system.
Gonna create the certs and key for the client and try the connection to the 
server again.


-----Urspr√ľngliche Nachricht-----
Von: nss-pam-ldapd-users-bounces+cieslak=folkwang-uni.de@lists.arthurdejong.org 
[nss-pam-ldapd-users-bounces+cieslak=folkwang-uni.de [at] lists.arthurdejong.org]
 Im Auftrag von Arthur de Jong
Gesendet: Donnerstag, 26. Juli 2012 14:59
An: nss-pam-ldapd-users@lists.arthurdejong.org
Betreff: Re: nslcd with tls

On Thu, 2012-07-26 at 11:02 +0200, Cieslak, Andreas wrote:
> Here are the tls-settings from my nslcd.conf:
> 
> ssl start_tls
> tls_cert /etc/ssl/certs/slapd.pem
> tls_key /etc/ssl/private/slapd.key
> tls_cacertdir /etc/ssl/certs
> tls_cacertfile /etc/ssl/certs/ca-certificates.crt
> tls_reqcert try

The key and cert are probably from the server side, not the client
(nslcd) side so should probably not be loaded into nslcd (unless you use client 
side certificates). In any case it is not advisable to share the same key 
between the server and client.

> The certs work already with other services (mail, etc.) and have 
> permissions like 644 and 640 for the key-file.
> 
> The user openldap is in the group ssl-cert.

The problem is probably that the key file isn't readable by nslcd and that is 
where the Permission denied error is from. Assuming that the slapd.key is 
group-owned by openldap, nslcd can't read it.

Also, nslcd doesn't load secondary groups on start-up so adding the nslcd user 
to the openldap group doesn't help (this last part was recently changed in the 
development repository but not yet released).

You should probably generate a new nslcd client key and get a certificate for 
that one. You can set the permissions on that one to ensure that only nslcd can 
open it.

--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/