Dear list,
We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM.
Is what we are trying to do possible with OpenLDAP? If so, could someone maybe point us to an example configuration?
Thank you for your time,
Kasper Loopstra.
On 23/11/11 17:06 +0100, Kasper Loopstra wrote:
Dear list,
We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM.
Which PAM ldap module are you using? with PADL's module, you'd want to configure 'ssl on' (for ldaps:///) or 'ssl starttls' (for starttls over ldap:///) and also configure the tls_* settings appropriately.
For your slapd configuration, see the slapd.conf manpage - the TLS* options, as well as the 'security' option. If you are wishing to perform secure connections over ldaps:///, verify that in your slapd init script, that you are passing 'ldaps:///' as one of your '-h' command line parameters.
On 11/23/2011 05:51 PM, Dan White wrote:
On 23/11/11 17:06 +0100, Kasper Loopstra wrote:
Dear list,
We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM.
Which PAM ldap module are you using? with PADL's module, you'd want to configure 'ssl on' (for ldaps:///) or 'ssl starttls' (for starttls over ldap:///) and also configure the tls_* settings appropriately.
We're using libpam-ldap from Debian, which is indeed the PADL module according to the comments. Is it really necesary to use SSL when communicating within localhost? If it is, that's fine, it just doesn't seem to be the right way to handle local traffic.
For your slapd configuration, see the slapd.conf manpage - the TLS* options, as well as the 'security' option. If you are wishing to perform secure connections over ldaps:///, verify that in your slapd init script, that you are passing 'ldaps:///' as one of your '-h' command line parameters.
According to the init file provided by Debian, it seems to be using the conf file for this information. Is that correct/possible, or should we be asking the Debian people?
Thanks for the quick response,
Kasper Loopstra
On 11/24/2011 03:53 PM, Kasper Loopstra wrote:
On 11/23/2011 05:51 PM, Dan White wrote:
On 23/11/11 17:06 +0100, Kasper Loopstra wrote:
Dear list,
We are using PAM to authenticate posixUsers against OpenLDAP. This works great, and allows 'local' (ssh) logins. However, we also use LDAP for a number of other services, including remote access and editing via other software. This means we would like to keep our users passwords as secure as possible, and enforce encrypted logins for all remote hosts. However, PAM should still be able to authenticate. The manner of encryption is not really important, it just has to be strong enough to be useful over the internet, and usable for all (or most) clients.
We have tried various solutions with ssf directives in /etc/ldap/slapd.conf as well as the security tls=1 directive. All of these attempts broke PAM.
Which PAM ldap module are you using? with PADL's module, you'd want to configure 'ssl on' (for ldaps:///) or 'ssl starttls' (for starttls over ldap:///) and also configure the tls_* settings appropriately.
We're using libpam-ldap from Debian, which is indeed the PADL module according to the comments. Is it really necesary to use SSL when communicating within localhost? If it is, that's fine, it just doesn't seem to be the right way to handle local traffic.
No, it isn't necesary, or you can use ldapi://
For your slapd configuration, see the slapd.conf manpage - the TLS* options, as well as the 'security' option. If you are wishing to perform secure connections over ldaps:///, verify that in your slapd init script, that you are passing 'ldaps:///' as one of your '-h' command line parameters.
According to the init file provided by Debian, it seems to be using the conf file for this information. Is that correct/possible, or should we be asking the Debian people?
Debian takes the default config /etc/default/slapd for daemon related parameters
Thanks for the quick response,
Kasper Loopstra
openldap-technical@openldap.org