On Friday 29 August 2008 16:48:26 Hauke Coltzau wrote:
I want to use TLS-communication between my ldap server and the clients.
[...]
Next, I activated TLSVerifyClient on the server side
Why ? You don't need this to address your single remaining problem, unless you haven't stated it in full.
==== /home/<user>/.ldaprc ====
TLS_CERT /home/<user>/openldap/<user>.ldap.cert.pem TLS_KEY /home/<user>/openldap/<user>.ldap.key.pem
== END /home/<user>/.ldaprc ==
So, when I start ldapsearch -x as local user, I get a positive result as long as the above mentioned certificate is valid. If the user's certificate is not valid, ldapsearch fails. Wonderful, that's exactly what I wanted.
But now to my problem:
Since I use the ldap server for network user authentication, I can (as local user) make a su - <network_user>, enter the password and get authenticated, but have a look at the shell:
<local user>@<client>:~$ su - <network_user> Password: <network user password here> id: cannot find name for group ID <network_user group> I have no name!@<client>:~$
Does 'strace -e open id' tell you anything interesting (specifically about the key/cert)?
Without TLSVerifyClient, this works out fine:
<local user>@<client>:~$ su - <network_user> Password: <network user password here> <network_user>@<client>:~$
Secondly: How do I make it possible that when connecting via ssh to the client machine (from any other machine), I can login as <network_user>? Here are the details:
In /etc/ldap.conf (ubuntu 8.04 uses this as replacement for lib(pam|nss)_ldap.conf),
Actually, Ubuntu reverts back to the upstream location, lib(pam|nss)_ldap.conf is a Debian-ism.
I set the values for
tls_cert /usr/lib/ssl/certs/<client>.ldap.cert.pem tls_key /usr/lib/ssl/private/<client>.ldap.key.pem
You didn't indicate any of the other /etc/ldap.conf settings, such as tls_cacertfile, tls_check_peer. Additionally, you don't specify if you are using nscd, or whether the logged in user (below) can read the tls_cert and tls_key files.
Regards, Buchan