Linux – CA root certificate in pam_ldap configuration will not work without tls_checkpeer no

debianlinuxpam-ldapssl-certificateUbuntu

Systems are Debian Squeeze and Ubuntu Precise with identical configurations. Version of libpam-ldap is 184-8.5 on both distros.

Everything works fine with the following configuration in /etc/pam_ldap.conf. 

host 10.220.100.11
base ou=companies,ou=asp,ou=sweden,dc=domain,dc=inet
ldap_version 3
ssl on
tls_checkpeer no
binddn svc_unix_auth
bindpw secret
scope sub
timelimit 30
pam_filter objectclass=User
nss_map_attribute uid sAMAccountName
pam_login_attribute sAMAccountName
pam_password crypt
pam_groupdn CN=Linux_Authentication,OU=Groups,OU=ourcompany,OU=Companies,OU=ASP,OU=sweden,DC=domain,DC=inet

Only one change to the pam configuration, in /etc/pam.d/common-auth. 

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass

The second line is what was added to enable ldap logins.

As soon as we remove tls_checkpeer no from the file /etc/pam_ldap.conf it fails because the LDAP server has a self-signed certificate.

Tried exporting the root CA certificate in base64 format from the LDAP server and putting it in /etc/ssl/certs with 0644 permissions. Then adding tls_cacertfile /etc/ssl/certs/ldap_server.crt in pam_ldap.conf but this is not helping.

How can I use the root CA and avoid disabling the check for self-signed certificates?

Best Answer

As far as I can tell, pam_ldap uses openssl for its TLS functionality, or uses similar functionality that is built in to pam_ldap itself. openssl needs the name of the ca file to be the value of the hash of the subject followed by ".0" or if there is already another ca cert with that hash, increment the 0 to a 1 or a 2 or whatever the next unused number would be. It is generally recommended that you leave the actual CA certificate file name with a friendly name so that you know what it is, and to create a symbolic link to it that has the name that uses the hash of the subject followed by ".0" or whatever the next available number is. To find the hash:

openssl x509 -hash -in /etc/ssl/certs/ldap_server.crt

This will return a hex number, for example ea12345.

To create a symbolic link that openssl and pam_ldap will like:

ln -s /etc/ssl/certs/ldap_server.crt /etc/ssl/certs/ea12345.0

Then remove the "tls_cacertfile /etc/ssl/certs/ldap_server.crt" line and add a line that says "tls_cacertdir /etc/ssl/certs/" in its place. It will hash the subject name of the CA when the LDAP server presents it's server certificate and try to find the CA cert file via ea12345.0 as the name, which will find the symlink and be able to open the file.

Related Topic