lists.arthurdejong.org
RSS feed

Re: nslcd: LDAP with TLS

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd: LDAP with TLS



Hi Andrea,

On Wed, 19 Jan 2022, Andrea Sighinolfi wrote:

> I need to configure nslcd to allow me to authenticate a user on a remote LDAP
> server through an encrypted connection (TLS). I am using a sample program
> which make use of the pam_ldap.so module to provide ldap authentication using
> nslcd. If the LDAP connection is not encrypted (simple authentication), it
> works fine.
> 
> Since I need to do an encrypted connection to the LDAP server, Looking at the
> documentation, I seemed to understand that I have to modify the
> /etc/nslcd.conf file in order to get nslcd  aware of the TLS encryption.
> I added the following commands to the nslcd.conf file:
> 
>     ...
>     ssl start_tls
>     tls_reqcert never

There are a couple of ways to do this. Start with an unencrypted
connection on ldap port and tell it to start TLS, or start with
an encrypted connection on the ldaps port.

For one of my servers that is using the start tls method, my config
looks like
-------
uri ldap:/someserverserver.example.com/
base dc=example,dc=com
# ** make sure there is a hash for the CA cert in tls_cacertdir **
ssl start_tls
tls_reqcert demand
tls_cacertdir /some/path/to/cafiles
-------

Now with "tls_reqcert demand" you need to have your certs set up properly.
Your use of "tls_reqcert never" can be helpful to get started but is
less than ideal for production use.

On other systems that the LDAP server is only listening on ldaps, I have
uri ldaps:/someserverserver.example.com/
-------
base dc=example,dc=com
ssl on
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/ca-bundle.crt
-------

I hope this helps.

> 
> But when I try to authenticate the user with my sample program, nslcd freezes
> for seconds, and then fails to authenticate.
> 
> What am I doing wrong? I am sure I am missing something in the configuration
> but after several attempts I haven't been able to authenticate yet.
> 
> Thank you.
> 
> Andrea.
> 
> 
> 
> 

-- 
Tim Rice                                Multitalents
tim@multitalents.net