Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: How Do I Disable TLS for LDAP?

  1. #21

    Default Re: How Do I Disable TLS for LDAP?

    Hi,
    I would like to know if any of you people could solve the problem, I'm an Uruguayan student and I'm working with LDAP/Samba/nfs all togeter,
    I've the same problem you have, and I need to know what way I'll continue with:
    * make OpenSuSE 12.2 ldap client work without TLS/SSL
    or
    * make my ldap server work with TLS/SSL

    I haven't found a working tutorial for me to read and make all this work!
    please I need help, I have not much time left to make this work, I have been arround for about a month trying to solve this out but I couldn't.

    if any of you could solved please tell me how.

    sorry my english,

    thanks,
    Nicolás.

  2. #22

    Default Re: How Do I Disable TLS for LDAP?

    I did it !!!
    well at last I could do it !
    I'll write the steps to follow.

    THIS IS HOW TO AUTHENTICATE OpenSuSE 12.2 AGAINST LDAP WITHOUT TLS/SSL :-)

    1) uninstall yast2-ldap-client
    2) make sure you have installed openldap2
    2) install nss_ldap & pam_ldap
    3) in /etc/openldap/ldap.conf add
    BASE dc=example,dc=com
    URI ldap://hostname
    4) in /etc/ldap.conf add
    host hostname
    base
    dc=example,dc=com
    ssl no
    5) in /etc/nsswitch
    passwd: compat ldap
    group: compat ldap
    6) in /etc/pam.d/common-auth add the line (I added it at the begining of the file)
    auth sufficient pam_ldap.so
    7) in /etc/pam.d/common-session add the line (I added it at the begining of the file)
    session sufficient pam_mkhomedir.so

    THAT'S ALL FOLKS !!!

    Have a lot of fun...

    Nicolás.

  3. #23
    Join Date
    Jul 2008
    Location
    Some place in Washington
    Posts
    258

    Default Re: How Do I Disable TLS for LDAP?

    I am in the same boat as gsancosme as a Parent using LDAP to authenticate my children's accounts. I am facing many of the same issues as everyone else here. I believe that I should be able to use the GUI interface to setup my machine with out command line work around. Since Opensuse has decided to remove the ability to turn off SSL/TLS, has any good documents been written up for setting up SSL/TLS using the GUI? An what about the Server side using SLES 11 SP 1 & 2?

    From the client perspective, what should I expect in setting this up???
    I click on the "SSL/TLS Configuration" button which bring a popup with 3 fields. Certificate Directory, CA Certificate File, an CA Certificate URL for Download.

    So in setting this up? Do I need to create any Certs on my client? Is the URL already setup on the Server side (Like others, I am using SLES 11 SP2)? If so, what is it? If not, how do I check an set the URL up? There seems to be no GUI for the CERT URL, so I will need to know files which need to be touched. The CA Certificate File, is this the cert from the Server? Can this field be full path or just the file name found in the Path above in the Certificate Directory? Can the Certificate Directory be any directory, or does it have to be the /etc/ssl/certs as is found on my server???

    I have many many further questions. Personally, I would be happy to get the SSL/TLS setup an working correctly, but never have gotten pass the Cert issue.

    John

  4. #24
    Join Date
    Sep 2012
    Posts
    5,376

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by Johnfm3 View Post
    The CA Certificate File, is this the cert from the Server?
    I am not sure if it is possible to explain PKI in two words, but ... SSL model is based on trust. Certificate contains information about its owner, its purpose and is signed by another certificate which must be known to you and trusted by you. At the top is CA (Certificate Authority). They are trusted by definition and their keys are well known and usually installed on every system. They can now sign certificate and you can verify that it is signed by CA and trust it. So on client all you need to specify is where CA certificates are located. They can be stored in single file but usually they are already on your system in /etc/ssl/cert.

    Unfortunately CA are commercial entities and want money for each certificate. So two other options for private deployments are self-signed certificates or own Certificate Authority. This write up explains pretty well how to setup openSSL server side using both options: OpenLDAP Server With Server-Side SSL/TLS and Client Authentication Not using GUI, sorry.

    You need just one of three choices - directory (most common), file (likely in case you are using self-signed certificate or create own root CA), or URL which can be useful for centralized corporate deployment.

  5. #25
    Join Date
    Sep 2009
    Location
    UK
    Posts
    305

    Default Re: How Do I Disable TLS for LDAP?

    or you could just put

    ldap_tls_reqcert = allow

    in /etc/sssd/sssd.conf

  6. #26

    Default Re: How Do I Disable TLS for LDAP?

    These instructions were great. We were about to give up on OpenSuse as to hard to get authentication working. One WARNING however. With OpenSuse 12.3 when we implemented this, the computer would hang in the boot up process for 5 minutes. We found that we needed to remove ldap for the group entry for the nsswitch.conf and it would boot normally. It was very confusing as the error messages where it hung led us in completely different directions and it was only reinstalling and going through our changes step by step that we tracked it down.

    Quote Originally Posted by nicotanja View Post
    I did it !!!
    well at last I could do it !
    I'll write the steps to follow.

    THIS IS HOW TO AUTHENTICATE OpenSuSE 12.2 AGAINST LDAP WITHOUT TLS/SSL :-)

    1) uninstall yast2-ldap-client
    2) make sure you have installed openldap2
    2) install nss_ldap & pam_ldap
    3) in /etc/openldap/ldap.conf add
    BASE dc=example,dc=com
    URI ldap://hostname
    4) in /etc/ldap.conf add
    host hostname
    base
    dc=example,dc=com
    ssl no
    5) in /etc/nsswitch
    passwd: compat ldap
    group: compat ldap
    6) in /etc/pam.d/common-auth add the line (I added it at the begining of the file)
    auth sufficient pam_ldap.so
    7) in /etc/pam.d/common-session add the line (I added it at the begining of the file)
    session sufficient pam_mkhomedir.so

    THAT'S ALL FOLKS !!!

    Have a lot of fun...

    Nicolás.

  7. #27

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by dbowler View Post
    We found that we needed to remove ldap for the group entry for the nsswitch.conf and it would boot normally.
    Except a line "group: compat ldap" need to add a line to nsswitch.conf like this :

    Code:
    initgroups: compat
    also such line can help:


    Code:
    group: compat ldap [NOTFOUND=return] [UNAVAIL=return]
    but I didn't check it.

Page 3 of 3 FirstFirst 123

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •