Hi everybody,
hope, this is still the right group for my question, might also be a lib{pam|nss}_ldap problem.
I am very happy to say that I have an almost completely running installation now. But one single problem still remains:
I want to use TLS-communication between my ldap server and the clients. I started up with an own RootCA, created 2 SubCAs (one for server certs, one for user certs) and generated a certificate for my server, signed by the ServerCA.
On client side, I have set
==== /etc/ldap/ldap.conf ====
BASE dc=...
URI ldaps://<fqdn>/
# Require valid cert from server TLS_REQCERT yes
# CA for trusted server certs TLS_CACERT /usr/lib/ssl/cacerts/<serverca>.chain.pem
== END /etc/ldap/ldap.conf ==
This works out perfectly, as I can see using a paket sniffer. The client only communicates with the server using TLSv1 and only if the server's certificate is valid.
Next, I activated TLSVerifyClient on the server side
==== /etc/ldap/slapd.conf ====
... # The CA chain for valid client certs TLSCACertificateFile /usr/lib/ssl/cacerts/<userca>.chain.pem
# The server's cert TLSCertificateFile /usr/lib/ssl/certs/<server>.cert.pem
# The server's key TLSCertificateKeyFile /usr/lib/ssl/private/<server>.key.pem
# Verify clients always TLSVerifyClient demand
== END /etc/ldap/slapd.conf ==
and created a client cert without password for my local client user, signed by the UserCA. This cert and the according key are referenced in the (local) users .ldaprc on the client machine:
==== /home/<user>/.ldaprc ====
TLS_CERT /home/<user>/openldap/<user>.ldap.cert.pem TLS_KEY /home/<user>/openldap/<user>.ldap.key.pem
== END /home/<user>/.ldaprc ==
So, when I start ldapsearch -x as local user, I get a positive result as long as the above mentioned certificate is valid. If the user's certificate is not valid, ldapsearch fails. Wonderful, that's exactly what I wanted.
But now to my problem:
Since I use the ldap server for network user authentication, I can (as local user) make a su - <network_user>, enter the password and get authenticated, but have a look at the shell:
<local user>@<client>:~$ su - <network_user> Password: <network user password here> id: cannot find name for group ID <network_user group> I have no name!@<client>:~$
Without TLSVerifyClient, this works out fine:
<local user>@<client>:~$ su - <network_user> Password: <network user password here> <network_user>@<client>:~$
Secondly: How do I make it possible that when connecting via ssh to the client machine (from any other machine), I can login as <network_user>? Here are the details:
In /etc/ldap.conf (ubuntu 8.04 uses this as replacement for lib(pam|nss)_ldap.conf), I set the values for
tls_cert /usr/lib/ssl/certs/<client>.ldap.cert.pem tls_key /usr/lib/ssl/private/<client>.ldap.key.pem
The certificate has been signed by the same CA as the above user certificate. The CN is the name of the host (not fqdn, that is, just the hostname).
But when I try to login via ssh, quits the connection saying
slapd -d127 -h "ldaps:///" -u openldap -g openldap
... TLS: can't accept: The peer did not send any certificate.. connection_read(12): TLS accept failure error=-1 id=0, closing ...
Whithout TLSVerifyClient, I can login.
I assume that both problems have the same background, but I just don't get it.
Hope, this time I didn't miss reading a manual again ;-)
Best regards,
Hauke