Centos – How to authenticate with LDAP via the command line

centosldapopenldapredhat

The LDAP server is hosted on Solaris. The client is CentOS. OpenLDAP/NSLCD/SSH authentication via LDAP work fine, but I am not able to use the ldapsearch commands to debug LDAP issues.

[root@tst-01 ~]# ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:
[root@tst-01 ~]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap1.tst.domain.tld ldap://ldap2.tst.domain.tld
BASE dc=tst,dc=domain,dc=tld
[root@tst-01 ~]# ls -al /etc/openldap/cacerts
total 12
drwxr-xr-x. 2 root root 4096 Jun  6 10:31 .
drwxr-xr-x. 3 root root 4096 Jun 10 10:12 ..
-rw-r--r--. 1 root root  895 Jun  6 10:01 cacert.pem
lrwxrwxrwx. 1 root root   10 Jun  6 10:31 cf848aa4.0 -> cacert.pem
[root@tst-01 ~]#

I have tried authentication with a certificate via ldapsearch giving /etc/openldap/cacerts/cacert.pem as a parameter, but it didn't accept this certificate for authentication.

Best Answer

You may wish to turn off SASL and use simple authentication with the "-x" option. For example, a search to find a particular user

ldapsearch -x -D "uid=search-user,ou=People,dc=example,dc=com" \
           -W -H ldap://ldap.example.com -b "ou=People,dc=example,dc=com" \
           -s sub 'uid=test-user'

Will find "test-user" by

-D - Use bind user "search-user"
-W - Prompt for password
-H - URL of LDAP server. Non-SSL in this case; use "ldaps://" for SSL
-b - The search base
-s - Search scope - i.e. base for base of tree, one for on level down and sub for recursively searching down the tree (can take a while)
Finally the search filter as a non-option argument. In this case we will search for the uid of "test-user"

Related Solutions

Centos – pam_ldap and ldaps can’t contact ldap server

The clue is in the ldapsearch command output:

TLS: certificate [CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, issuer: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0

It says: certificate ... is not valid... Peer's certificate issuer has been marked as not trusted by the user. That means the CA used to issue the server certificate is not trusted. It seems to me that the CACERTFILE TLS_CACERTFILE /srv/ldap-cacert.pem does not contain the right CA certificate. It won't work until you get an error clean ldapsearch output.

Once that is solved you may get errors due to the CN of the certificate. If you do, try using ldaps://sub.example.org/ as URI instead of ldaps://10.1.1.42/. If your DNS doesn't resolve that name, just put it in your /etc/hosts file (just for testing, you should update your DNS records).

Ssl – LDAP Client Search with SSL – CentOS7

The following is taken from a working CentOS7 ldap server, and should cover the key aspects of SASL/EXTERNAL(TLS) authentication.
Minors notes:
- The server is also acting as the client in this example.
- This example makes use of ~/.ldaprc rather than /etc/openldap/ldap.conf
- This example uses olcTLSVerifyClient: verify rather than hard because the server is supporting other authentication types in addition to SASL/EXTERNAL(TLS) authentication.

slapd-config

[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 
#

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

certificate key permissions

[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/ldap.example.com.key

[root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/ldap.example.com.key
# owner: root
# group: root
user::rw-
user:ldap:r--
group::---
mask::r--
other::---

sasl configuration

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

ldap client settings

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt
TLS_KEY /etc/pki/tls/private/ldap.example.com.key

successful SASL/EXTERNAL(TLS) bind

[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
dn:cn=ldap.example.com,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0

Best Answer

Related Solutions

Centos – pam_ldap and ldaps can’t contact ldap server

Ssl – LDAP Client Search with SSL – CentOS7

Related Topic