Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: How Do I Disable TLS for LDAP?

  1. #11
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    ack! That did it, I ruined everything. Was trying to work with certificates to try and get things functioning, and the whole shebang went to hell and died. I knew I never should've touched any of this stuff. Now all our LDAP data has been destroyed. Luckily I have backups that I can restore, but what a pain...

    Honestly, the option to disable TLS on the client should just have been retained. I knew very well how insecure my setup was, and it didn't matter one bit. This change essentially broke compatibility with the default SLES behaviour. Not cool. We've been running this setup for endless years without a hickup, I hate it when changes are imposed on me supposedly "for my own good".
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  2. #12
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Great, even after I restored my backups from 4 days ago (before I started any of this), the LDAP server is completely hosed and refuses to start. No useful error message, no clue what's going wrong, it just doesn't work. I swear it seems like it's ignoring anything I put in the slapd.conf file and doing whatever it wants. Nothing I change in slapd.conf makes any difference whatsoever.

    I can't believe I touched any of this ****. I already knew it would break the moment I tried to change it. I never should've touched opensuse 12.2. Apparently I didn't learn my lesson after 12.1. I'm completely screwed, and everyone's yelling at me.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  3. #13
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,385

    Default Re: How Do I Disable TLS for LDAP?

    On Fri, 14 Sep 2012 12:36:02 +0000, puregore wrote:

    >> What are the settings for tls_checkpeer in /etc/ldap.conf and
    >> TLS_REQCERT in /etc/openldap/ldap.conf on the client?

    >
    > Hmm, the error message I get is:
    >
    > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
    > verify failed (self signed certificate in certificate chain)
    >
    > How do I disable this certificate check option? Maybe I'm missing
    > something obvious.


    The TLS_REQCERT and tls_checkpeer options are related to this.

    I see from your later posts that you've got some additional server-side
    issues now - while it is SLES and not openSUSE, first question is what
    did you change on the server side?

    Jim


    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  4. #14
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    I see from your later posts that you've got some additional server-side
    issues now - while it is SLES and not openSUSE, first question is what
    did you change on the server side?
    I changed the certificate info to some other ones I had just created manually. Yast allowed me to make and save the change without issues. But it didn't tell me that openldap failed to restart successfully after the changes. When I tried to use Yast to edit the settings again, it refused to let me because LDAP wasn't currently running (Catch22... you can't fix the brokenness because it's broken).

    My backup restores were failing because I was just sending the restored files into the existing directories without deleting the old ones first. Some redundant files from my earlier attempts to fix the problem were causing openldap to fail miserably.

    I'm now back at where I was 2 days ago. I have TLS/SSL enabled on the server, and I'm using the "Use Common Server Certificate" option. I've copied the certificate file to a client and pointed to it in ldap.conf.

    It still doesn't work. I'm not even sure what the point of slapd.conf is, since any changes I make in Yast are not reflected at all in that file (yet they persist in Yast). I don't understand what it is that Yast is editing.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  5. #15
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,385

    Default Re: How Do I Disable TLS for LDAP?

    On Fri, 14 Sep 2012 19:26:02 +0000, puregore wrote:

    > It still doesn't work. I'm not even sure what the point of slapd.conf
    > is,
    > since any changes I make in Yast are not reflected at all in that file
    > (yet they persist in Yast). I don't understand what it is that Yast is
    > editing.


    I'll give it a shot this weekend and let you know what works when I set
    it up. What SP of SLES is the server running? (Just want to make sure
    I'm as close to your setup as I can get)

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  6. #16
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    I'll give it a shot this weekend and let you know what works when I set
    it up. What SP of SLES is the server running? (Just want to make sure
    I'm as close to your setup as I can get)
    Thanks! I'd really appreciate it.

    SUSE Linux Enterprise Server 11 (x86_64)
    VERSION = 11
    PATCHLEVEL = 1
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  7. #17
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,385

    Default Re: How Do I Disable TLS for LDAP?

    On Sat, 15 Sep 2012 00:46:01 +0000, puregore wrote:

    > hendersj;2487336 Wrote:
    >>
    >> I'll give it a shot this weekend and let you know what works when I set
    >> it up. What SP of SLES is the server running? (Just want to make sure
    >> I'm as close to your setup as I can get)

    >
    > Thanks! I'd really appreciate it.
    >
    > SUSE Linux Enterprise Server 11 (x86_64)
    > VERSION = 11 PATCHLEVEL = 1


    I've just gone through and set up an openldap2 server, and it looks like
    the necessary change for TLS to work is to add to /etc/openldap/ldap.conf
    on the client the line:

    TLS_REQCERT allow

    This tells the client to request a certificate but if the certificate is
    invalid (ie, the trust chain can't be verified), that'll still use the
    certificate for encryption. You could also import the CA self-signed
    certificate from the server and add it to the chain of trust on the
    client (I didn't configure that, but that's a standard SSL operation so
    should work just fine).

    I verified the operation of SSL by running the following command:

    ldapsearch -h [serverip] -p 389 -ZZ -x

    With the TLS_REQCERT parameter not in the config file, the connection
    failed. With it in there, I was able to get results.

    The only configuration I did on the server was to create a certificate
    and export it as the common certificate for the server, and then using
    the YaST text-based interface (I built the server without a GUI on it),
    just told it to enable SSL/TLS and to use the server's common certificate.

    Worked like a champ.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  8. #18
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,385

    Default Re: How Do I Disable TLS for LDAP?

    On Sun, 16 Sep 2012 22:35:34 +0000, Jim Henderson wrote:

    > Worked like a champ.


    Well, that did it for ldapsearch, which uses that config file.

    openSUSE 12.2 uses the "System Security Services Daemon" (sssd), which
    uses a different configuration file.

    To configure the TLS_REQCERT option for sssd, you need to modify /etc/
    sssd/sssd.conf to include (in the domain/default section):

    ldap_tls_reqcert = allow

    Along with the other settings to enable the use of TLS.

    Once I set that up, then I was able to login from a console as well as
    from the display manager (I restarted the machine afterwards to make
    sure).

    You'll probably also want to use configuration options to map the home
    directory - either creating it if it doesn't exist or using the
    automounter - however you've got that configured.

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  9. #19
    Join Date
    Jun 2008
    Location
    Geneva/Switzerland
    Posts
    39

    Default Re: How Do I Disable TLS for LDAP?

    Hi There,

    Perhaps is this too late, but I have found a workaround :

    I had the same issue on my own infrastructure at home... got 3 childrens (each with at least one workstation, some with a laptop too), a wife (workstation, laptop, andoid pad ...) , a cat (he is the only one that doesn't authenticate :-)) ) a couple of servers etc... everybody running openSuSE 12.1. Servers run SLES 11.
    The main SLES server owns the LDAP directory, and I authenticate all my home users against the LDAP server home. They have nfs mounts etc, a completely standardized infra.
    I understand very well that I should configure LDAPS and SSL on the LDAP server but... things work well for now and I'll do it one of these days...

    When I installed openSuSE12.2 on a VM to test it (before the upgrade campaign) I had exactly the same issue not LDAP TLS check box.
    I first tried almost everything to solve that (even copying the ldap, nssswitch and pam.d configs form previous working 12.1 machines).

    I have solved it like this :

    Login to your workstation as a local user (or root but I would not do that...)
    issue a console
    su to root and launch
    Code:
    # yast2 ldap-client &
    First setup the ldap-client with YaST normally, when the module complains about TLS just accept him to try without TLS. Leave all the TLS/SSL related stuf empty.
    When finished, YaST ldap-client will complain about the fact that it will not be able to connect to the ldap server, ignore this and accept to keep the config.

    Code:
    # vi /etc/ldap.conf
    locate the line :
    Code:
    ssl     start_tls
    comment this line with a dash at the beginning and insert a new line :
    Code:
    ssl      no
    save ldap.conf

    Code:
    #vi /etc/sssd/sssd.conf
    locate the line :
    Code:
    ldap_id_use_start_tls = True
    comment this line with a dash at the beginning and insert a new line :
    Code:
    ldap_id_use_start_tls = False
    save sssd.conf

    restart sssd :
    Code:
    # systemctl restart sssd.service
    try this :
    exit form the root shell, and as normal user
    Code:
    $ yast2 ldap_browser &
    enter root password, and you should be prompted for the ldap credentials. put the ldap password and uncheck the LDAP TLS checkbox.
    You should be able to navigate into the ldap.

    close your session
    login using one of the ldap userid, should work like a charm.
    Box: i7-2700K CPU@3.50GHz | 32GbRAM | 14Tb HDD | nVidia GTX 690 | openSuSE 12.2-64 | KDE 4.8.5
    Lap: Lenovo W510 i7 820QM | 8GbRAM | 500Gb SSD | nVidia Quadro FX 880M | openSuSE12.2-64 | KDE 4.8.5

  10. #20
    Join Date
    Jun 2008
    Location
    Norwich, UK
    Posts
    226

    Default Re: How Do I Disable TLS for LDAP?

    I'm in the same boat as puregore with a 12.1 LDAP server for user authentication running without TLS

    I've made the changes you suggest (Common Server Cert, edit ldap.conf, sssd.conf) and now I can log in from a 12.2 client but things like YaSTs LDAP Client module fail with TLS enabled but will work if TLS is disabled, additionally getent passwd and KDE login show only local users so it's not a complete solution.

    Do you have any further suggestions?

    Alan

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •