Linux – How to install a trusted certificate on client machine to enable LDAP authentication

ldaplinuxopenldapopensslssl

I downloaded a TurnKey Linux OpenLDAP vm instance. It now runs in a vm. I am using this for user account authentication over a network. The client machine is a stock CentOS 7 machine. Everything on both machines is being implemented by OpenLDAP and OpenSSL.

The configuration of everything server-side AFAIK seems to be ok right out of the box (which is the entire concept of the TurnKey Linux distros). I can access its web admin interface over the network, everything seems to be fine except for the fact that I cannot authenticate from the client machine.

I believe I have everything set up properly on the client machine save for one fact: the SSL details on the client aren't set up properly and I'm not very knowledgable when it comes to that. I want to use my own certification and my own authority

Trying to su username from the client machine makes the shell hang for several seconds (as if it were waiting for something). Then the user authentication fails, as opposed to it just quitting immediately when I type in a nonsense user.

Upon investigation, I find the following entries within my system journal:

Nov 15 22:51:03 localhost.localdomain nslcd[16976]: [a5ee64] <group/member="root"> ldap_start_tls_s() failed (uri=ldap://192.168.254.104): Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Nov 15 22:51:03 localhost.localdomain nslcd[16976]: [a5ee64] <group/member="root"> failed to bind to LDAP server ldap://192.168.254.104: Connect error: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.
Nov 15 22:51:03 localhost.localdomain nslcd[16976]: [a5ee64] <group/member="root"> no available LDAP server found: Connect error
Nov 15 22:51:03 localhost.localdomain nslcd[16976]: [a5ee64] <group/member="root"> no available LDAP server found: Server is unavailable

How do I make the issuer of the certificate "trusted" on the client machine? What steps do I need to take to accomplish this? I am a complete noob with SSL and honestly after reading a bunch of things online I'm still quite confused as how to remedy the situation.

Best Answer

You need to add the certificate file to your trusted certificate store. I don't have a CentOS VM on hand at the moment, but if I recall, it uses a normal directory containing plain-text X509 certs with .crt file extension.

It is likely somewhere under /etc/ssl. Just browse around there or use find until you find where all of the other trusted certs are located. There should be quite a few of them. If you have the certificate, just copy it to that location and make sure the permissions are the same as the other trusted certs.

Related Solutions

LDAP – How to Test an LDAP Connection from a Client

Use ldapsearch. It will return an error if you cannot query the LDAP Server.

The syntax for using ldapsearch:

ldapsearch -x -LLL -h [host] -D [user] -w [password] -b [base DN] -s sub "([filter])" [attribute list]

A simple example

$ ldapsearch -x -LLL -h host.example.com -D user -w password -b"dc=ad,dc=example,dc=com" -s sub "(objectClass=user)" givenName

~~Please see this link: http://randomerror.wordpress.com/2009/10/16/quick-tip-how-to-search-in-windows-active-directory-from-linux-with-ldapsearch/~~

Edit: It seems you don't have pam configured corectlly for gdm/xdm here is an example how to do it: http://pastebin.com/TDK4KWRV

Ssl – LDAP Client Search with SSL – CentOS7

The following is taken from a working CentOS7 ldap server, and should cover the key aspects of SASL/EXTERNAL(TLS) authentication.
Minors notes:
- The server is also acting as the client in this example.
- This example makes use of ~/.ldaprc rather than /etc/openldap/ldap.conf
- This example uses olcTLSVerifyClient: verify rather than hard because the server is supporting other authentication types in addition to SASL/EXTERNAL(TLS) authentication.

slapd-config

[root@ldap ~]# ldapsearch cn=config olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> (default) with scope subtree
# filter: cn=config
# requesting: olcTLSCACertificateFile olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSVerifyClient 
#

# config
dn: cn=config
olcTLSCACertificateFile: /etc/pki/tls/certs/ldap.example.com_CA.crt
olcTLSCertificateFile: /etc/pki/tls/certs/ldap.example.com.crt
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap.example.com.key
olcTLSVerifyClient: try

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

certificate key permissions

[root@ldap ~]# ls -lZ /etc/pki/tls/private/ldap.example.com.key
-rw-r-----+ root root unconfined_u:object_r:cert_t:s0  /etc/pki/tls/private/ldap.example.com.key

[root@ldap ~]# getfacl /etc/pki/tls/private/ldap.example.com.key
getfacl: Removing leading '/' from absolute path names
# file: etc/pki/tls/private/ldap.example.com.key
# owner: root
# group: root
user::rw-
user:ldap:r--
group::---
mask::r--
other::---

sasl configuration

[root@ldap ~]# cat /etc/sasl2/slapd.conf 
mech_list: external gssapi plain
pwcheck_method: saslauthd

ldap client settings

[root@ldap ~]# cat .ldaprc
URI ldapi:///
BASE cn=config
SASL_MECH external
#TLS_CACERT /etc/ssl/certs/ca-bundle.crt
TLS_CACERT /etc/pki/tls/certs/ldap.example.com_CA.crt
TLS_CERT /etc/pki/tls/certs/ldap.example.com.crt
TLS_KEY /etc/pki/tls/private/ldap.example.com.key

successful SASL/EXTERNAL(TLS) bind

[root@ldap ~]# ldapwhoami -ZZ -h ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0
dn:cn=ldap.example.com,<cert locality info>
[root@ldap ~]# ldapwhoami -H ldaps://ldap.example.com
SASL/EXTERNAL authentication started
SASL username: cn=ldap.example.com,<cert locality info>
SASL SSF: 0

Best Answer

Related Solutions

LDAP – How to Test an LDAP Connection from a Client

Ssl – LDAP Client Search with SSL – CentOS7

Related Topic