pam_ldap and ldaps can't contact ldap server
Solution 1
Migtor pushed me in the right direction. Thank you!
When I removed TLS_REQCERT and checked for the ldapsearch errors I also got TLS: error: connect - force handshake failure: errno 2 - moznss error -8172.
My CA certificate is the correct one, but openldap uses Mozilla Network Security Services (MozNSS) by default for checking the authority. So I have to add my self-signed CA to this database.
Edit: As Migtor pointed out in his comment below, this should apply only to CentOS, RHEL and derivatives.
.
Solution
First copy your CA certificate to the client (my path: /etc/openldap/cacerts/ldap-cacert.pem)
After installing pam_ldap a MozNSS database is located in /etc/openldap/certs :
- run
# certutil -d /etc/openldap/certs -A -n "ldap CA" -t TCu,Cu,Tuw -a -i /etc/openldap/cacerts/ldap-cacert.pem- -n "ldap CA" is just a name to identify your certificate in the MozNSS database
- verify:
# certutil -L -d /etc/openldap/certs
New content of my /etc/pam_ldap.conf
ldap_version 3
pam_password crypt
uri ldaps://[FQDN-of-my-ldap-server]:636
base dc=sub,dc=example,dc=org
ssl on
tls_cacertdir /etc/openldap/certs
.
What about nss-pam-ldapd ?
This is no longer required. I purged it and /etc/nslcd.conf is no longer available.
.
Sources:
- https://www.dragonsreach.it/2013/03/27/setting-ssl-certificates-openldap-mozilla-nss-database/
- http://www.bradchen.com/blog/2012/08/openldap-tls-issue
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
Solution 2
The clue is in the ldapsearch command output:
TLS: certificate [CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, issuer: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
It says: certificate ... is not valid... Peer's certificate issuer has been marked as not trusted by the user. That means the CA used to issue the server certificate is not trusted. It seems to me that the CACERTFILE TLS_CACERTFILE /srv/ldap-cacert.pem does not contain the right CA certificate. It won't work until you get an error clean ldapsearch output.
Once that is solved you may get errors due to the CN of the certificate. If you do, try using ldaps://sub.example.org/ as URI instead of ldaps://10.1.1.42/. If your DNS doesn't resolve that name, just put it in your /etc/hosts file (just for testing, you should update your DNS records).
Related videos on Youtube
03 : 44
02 : 42
03 : 41
06 : 02
30 : 50
lszrh
Updated on September 18, 2022Comments
-
lszrh over 1 year
I'm trying to allow authentication via LDAP on a CentOS host system. But I always get a Can't contact LDAP server error from pam_ldap.
The LDAP server is pingable and authentication works perfectly with ldap://, but not with ldaps://. It also works perfectly with ldaps:// on debian OS, but not on CentOS.
I got the Can't contact error also with $ ldapsearch ... but I fixed it setting TLS_REQCERT allow in /etc/openldap/ldap.conf. But setting this for /etc/pam_ldap.conf does not help.
Steps I did:
- $ yum install pam_ldap nss-pam-ldapd openldap-clients
- $ authconfig-tui and activate LDAP for Authentication
- modify /etc/pam_ldap
- modify /etc/nslcd.conf
- modify /etc/openldap/ldap.conf
- create /etc/ldap/ldap.conf (read somewhere that it's a fall-back config file path)
- create /etc/ldap.conf (with same content as /etc/ldap/ldap.conf)
- restart services nscd and nslcd
Some more information:
- the CA-Cert from LDAP-Server is readable for everyone.
- iptables is disabled
Also confusing is the IP in /var/log/secure. There it says Failed password for testuser from 10.1.1.1, but the configured IP for LDAP server is 10.1.1.42 and the host IP is 10.1.1.27. Anyways, if I use the uri ldap://10.1.1.42 and comment the line ssl on authentication works like a charm.
Any ideas?
.
Trying to authenticate via pam, /var/log/secure
Sep 15 09:50:37 client-server unix_chkpwd[16146]: password check failed for user (testuser) Sep 15 09:50:37 client-server sshd[16144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1 user=testuser Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: reconnecting to LDAP server... Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: ldap_simple_bind Can't contact LDAP server Sep 15 09:50:40 client-server sshd[16144]: Failed password for testuser from 10.1.1.1 port 11339 ssh2 Sep 15 09:50:40 client-server sshd[16145]: Received disconnect from 10.1.1.1: 13: Unable to authenticateRun $ ldapsearch -v -H ldaps://10.1.1.42/ -D cn=admin,dc=sub,dc=example,dc=org -W -x -b dc=sub,dc=example,dc=org -d1 to check if ldaps// is working. (Yes, it works)
ldap_url_parse_ext(ldaps://10.1.1.42/) ldap_initialize( ldaps://10.1.1.42:636/??base ) ldap_create ldap_url_parse_ext(ldaps://10.1.1.42:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.1.1.42:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.1.1.42:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: certificate [CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS certificate verification: subject: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, issuer: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 ldap_open_defconn: successful ldap_send_server_request ...Content of /etc/pam_ldap.conf
ldap_version 3 pam_password crypt uri ldaps://10.1.1.42:636 base dc=sub,dc=example,dc=org ssl on tls_reqcert allow tls_cacertfile /srv/ldap-cacert.pem tls_checkpeer noContent of /etc/openldap/ldap.conf
TLS_REQCERT allow TLS_CACERTFILE /srv/ldap-cacert.pem URI ldaps://10.1.1.42:636/ BASE dc=sub,dc=example,dc=orgContent of /etc/nslcd.conf
uid nslcd gid ldap ssl on tls_reqcert allow tls_cacertfile /srv/ldap-cacert.pem uri ldaps://10.1.1.42:636/ base dc=sub,dc=example,dc=orgContent of /etc/ldap.conf and /etc/ldap/ldap.conf:
tls_checkpeer no tls_reqcert allow tls_cacertfile /srv/ldap-cacert.pem uri ldaps://10.1.1.42:636/ base dc=sub,dc=example,dc=org -
Migtor over 9 yearsGlad you got it working ;). This should apply only to CentOS, RHEL and derivatives, I believe most distros compile openldap with openssl, not with nss. Anyway, it's strange that using a correct
TLS_CACERTFILEdidn't work, maybe that it's just openssl specific.
