lists.arthurdejong.org
RSS feed

Re: nslcd 7.5 and TLS_CERT/TLS_KEY with StartTLS

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd 7.5 and TLS_CERT/TLS_KEY with StartTLS



On Mon, 2016-02-29 at 22:06 -0500, Frank Crow wrote:
> I'm trying to use nslcd 7.5 (the version that comes with RHEL 6.7)
> with OpenLDAP 2.4.23 using client-side TLS_CERT and TLS_KEY and "ssl
> start_tls".
> 
> If I enable start_tls and use the TLS_CERT/TLS_KEY then nslcd will
> not connect to my LDAP servers.   If I turn off start_tls then I can
> specify TLS_CERT & TLS_KEY but it doesn't seem to use the client-side 
> cert for authentication.   Also, start_tls without TLS_CERT/TLS_KEY
> seems to work as well.

LDAP and TLS together are always a pain to debug. If you pass multiple
-d options to nslcd you will get more debugging output which may be
helpful but error reporting from the TLS layer back though the LDAP
library is flaky at best. Support for options also depends heavily on
which TLS library is linked to libldap.

One thing that you should take care of that you either use an ldaps://
URL or use ldap:// (no s) in combination with ssl start_tls. Playing
with tls_reqcert can also help.

> I can access my LDAP servers from the command line with "-ZZ -Y
> EXTERNAL" no problem.

I haven't used external authentication with nslcd so there could be
bugs. You do need to specify sasl_mech probably to achieve the same.

Can you post debug output of nslcd while trying this?

Also, I'm not 100% sure this works in combination with using SASL with
the PAM authentication but you'll have to test that.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/