Centos – pam_ldap and ldaps can’t contact ldap server

authenticationcentosldappam

I'm trying to allow authentication via LDAP on a CentOS host system. But I always get a Can't contact LDAP server error from pam_ldap.

The LDAP server is pingable and authentication works perfectly with ldap://, but not with ldaps://. It also works perfectly with ldaps:// on debian OS, but not on CentOS.

I got the Can't contact error also with $ ldapsearch … but I fixed it setting TLS_REQCERT allow in /etc/openldap/ldap.conf. But setting this for /etc/pam_ldap.conf does not help.

Steps I did:

  • $ yum install pam_ldap nss-pam-ldapd openldap-clients
  • $ authconfig-tui and activate LDAP for Authentication
  • modify /etc/pam_ldap
  • modify /etc/nslcd.conf
  • modify /etc/openldap/ldap.conf
  • create /etc/ldap/ldap.conf (read somewhere that it's a fall-back config file path)
  • create /etc/ldap.conf (with same content as /etc/ldap/ldap.conf)
  • restart services nscd and nslcd

Some more information:

  • the CA-Cert from LDAP-Server is readable for everyone.
  • iptables is disabled

Also confusing is the IP in /var/log/secure. There it says Failed password for testuser from 10.1.1.1, but the configured IP for LDAP server is 10.1.1.42 and the host IP is 10.1.1.27. Anyways, if I use the uri ldap://10.1.1.42 and comment the line ssl on authentication works like a charm.

Any ideas?

.

Trying to authenticate via pam, /var/log/secure

Sep 15 09:50:37 client-server unix_chkpwd[16146]: password check failed for user (testuser)
Sep 15 09:50:37 client-server sshd[16144]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.1  user=testuser
Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: reconnecting to LDAP server...
Sep 15 09:50:37 client-server sshd[16144]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 15 09:50:40 client-server sshd[16144]: Failed password for testuser from 10.1.1.1 port 11339 ssh2
Sep 15 09:50:40 client-server sshd[16145]: Received disconnect from 10.1.1.1: 13: Unable to authenticate

Run $ ldapsearch -v -H ldaps://10.1.1.42/ -D cn=admin,dc=sub,dc=example,dc=org -W -x -b dc=sub,dc=example,dc=org -d1 to check if ldaps// is working. (Yes, it works)

ldap_url_parse_ext(ldaps://10.1.1.42/)
ldap_initialize( ldaps://10.1.1.42:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://10.1.1.42:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.1.1.42:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.1.42:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: certificate [CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, issuer: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
...

Content of /etc/pam_ldap.conf

ldap_version 3
pam_password crypt
uri ldaps://10.1.1.42:636
base dc=sub,dc=example,dc=org
ssl on
tls_reqcert allow
tls_cacertfile /srv/ldap-cacert.pem
tls_checkpeer no

Content of /etc/openldap/ldap.conf

TLS_REQCERT allow
TLS_CACERTFILE /srv/ldap-cacert.pem
URI ldaps://10.1.1.42:636/
BASE dc=sub,dc=example,dc=org

Content of /etc/nslcd.conf

uid nslcd
gid ldap
ssl on
tls_reqcert allow
tls_cacertfile /srv/ldap-cacert.pem
uri ldaps://10.1.1.42:636/
base dc=sub,dc=example,dc=org

Content of /etc/ldap.conf and /etc/ldap/ldap.conf:

tls_checkpeer no
tls_reqcert allow
tls_cacertfile /srv/ldap-cacert.pem
uri ldaps://10.1.1.42:636/
base dc=sub,dc=example,dc=org

Best Answer

The clue is in the ldapsearch command output:

TLS: certificate [CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user..
TLS certificate verification: subject: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, issuer: CN=sub.example.org,OU=test-ou,O=test-o,ST=test-st,C=DE, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0

It says: certificate ... is not valid... Peer's certificate issuer has been marked as not trusted by the user. That means the CA used to issue the server certificate is not trusted. It seems to me that the CACERTFILE TLS_CACERTFILE /srv/ldap-cacert.pem does not contain the right CA certificate. It won't work until you get an error clean ldapsearch output.

Once that is solved you may get errors due to the CN of the certificate. If you do, try using ldaps://sub.example.org/ as URI instead of ldaps://10.1.1.42/. If your DNS doesn't resolve that name, just put it in your /etc/hosts file (just for testing, you should update your DNS records).