Re: nslcd 7.5 and TLS_CERT/TLS_KEY with StartTLS

[Frank Crow <fjcrow2008 [at] gmail.com>]

Once I fixed my server certs (so that the cn= was the FQDN, not the short host name), I am able to use StartTLS with TLS_CERT/TLS_KEY in the nslcd (and pam_ldap) configuration files.   I see in the OpenLDAP server log that it is getting the StartTLS and I have disabled anonymous queries (security ssf=128), so I reasonably certain that the client-side certs are being used.

Now about the "sasl_mech external" thing.     I did experiment using that as well.   However, when I used it, I was not able to tell any difference in communication between the server and nslcd by looking at the server logs.   It still used StartTLS and the client certs as before.

Seeing as I'm getting the same behavior either way, I have removed the "sasl_mech external" from the nslcd configuration in order to avoid the warning message - which would probably spook our test team.

I really wish that Red Hat would catch up to your development but I'm happy with what I've got now.   Again, thanks for your assistance.

-Frank

On Mon, Mar 7, 2016 at 2:17 PM, Frank Crow <fjcrow2008 [at] gmail.com> wrote:

Hey Arthur,

Just a quick follow-up on this.   I discovered that my server-side certs where not correctly generated.   So, while that wasn't the original issue, it might be related.   I've recreated all the certs and will be trying all of this again today.

I appreciate your assistance!

Thanks,

Frank

On Wed, Mar 2, 2016 at 5:06 PM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:

On Mon, 2016-02-29 at 22:06 -0500, Frank Crow wrote:
> I'm trying to use nslcd 7.5 (the version that comes with RHEL 6.7)
> with OpenLDAP 2.4.23 using client-side TLS_CERT and TLS_KEY and "ssl
> start_tls".
>
> If I enable start_tls and use the TLS_CERT/TLS_KEY then nslcd will
> not connect to my LDAP servers.   If I turn off start_tls then I can
> specify TLS_CERT & TLS_KEY but it doesn't seem to use the client-side
> cert for authentication.   Also, start_tls without TLS_CERT/TLS_KEY
> seems to work as well.

LDAP and TLS together are always a pain to debug. If you pass multiple
-d options to nslcd you will get more debugging output which may be
helpful but error reporting from the TLS layer back though the LDAP
library is flaky at best. Support for options also depends heavily on
which TLS library is linked to libldap.

One thing that you should take care of that you either use an ldaps://
URL or use ldap:// (no s) in combination with ssl start_tls. Playing
with tls_reqcert can also help.

> I can access my LDAP servers from the command line with "-ZZ -Y
> EXTERNAL" no problem.

I haven't used external authentication with nslcd so there could be
bugs. You do need to specify sasl_mech probably to achieve the same.

Can you post debug output of nslcd while trying this?

Also, I'm not 100% sure this works in combination with using SASL with
the PAM authentication but you'll have to test that.

Hope this helps,

--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --

--

Frank

--

Frank

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/