Folks
Note sure if this is the right list ?
I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password Authentication, which is going to be a Replacement for NIS (YP) All Normal access works fine and users can login , access automount maps etc
However there are 2 types of Ldap binding
Simple TLS
At the moment any body can run the following ldapsearch -x
I would like to try and disable Simple Binding But if I select "disallow bind_anon" in slapd.conf file Things start to break like authentication stops working. /var/log/messages
Apr 1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact LDAP server
How do I get a Machine to authenticate to Ldap ?
I think the problem lies with nss_ldap ? When I add the following line to /etc/ldap.conf
ssl start_tls
I start to get the following error's Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error Apr 2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local user=mgarrett Apr 2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication succeeds for'mgarrett' (mgarrett@UK.AD.EP.CORP.LOCAL)
/etc/ldap.conf
base dc=unix,dc=total bind_timelimit 120 idle_timelimit 3600 ldap_version 3 pam_password md5 scope sub ssl start_tls timelimit 120 tls_cacertdir /etc/openldap/cacerts tls_checkpeer no
Can any body point me in the right direction
Thanks
Matthew
Server is RedHat 5.3 Clients are RedHat 4.7
Copy of slapd.conf pwcheck_method: saslauthd mech_list: gssapi sizelimit unlimited
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/krb5-kdc.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapd.pem TLSCertificateKeyFile /etc/openldap/slapd.key
## security - other directives ## prevents anonymous access to ## any connection #disallow bind_anon ## forces a bind operation before DIT access #require bind ## Use of reads on ldaps only port forces use ## of TLS/SSL but not a minimum value ## this directive forces a minimum value #security simple_bind=128
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs # This leaves "username/admin" principals untouched sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=unix,dc=total # This should be a ^ plus, not a star, but slapd won't accept it
# Default read access for everything else except anonymous users who have no access but does not work. ! access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read
#by anonymous none
Matthew Garrett Senior IS Technical Analyst Tel: 01224 297889 Fax: 01224 296806 Email: Matthew.Garrett@total.com Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG Registered in England and Wales No.811900 Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information. If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.