Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: How Do I Disable TLS for LDAP?

  1. #1
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Question How Do I Disable TLS for LDAP?

    opensuse 12.2 seems to be missing the option to disable TLS/SSSD for LDAP. This option was always present before, and now it's gone. There's already a bug report for it (since RC2), but no workaround described anywhere. I can't connect opensuse 12.2 to my infrastructure until I can disable TLS for LDAP.

    So... how do I do that?
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  2. #2
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,873

    Default Re: How Do I Disable TLS for LDAP?

    On Tue, 11 Sep 2012 22:36:01 +0000, puregore wrote:

    > opensuse 12.2 seems to be missing the option to disable TLS/SSSD for
    > LDAP. This option was always present before, and now it's gone. There's
    > already a bug report for it (since RC2), but no workaround described
    > anywhere. I can't connect opensuse 12.2 to my infrastructure until I can
    > disable TLS for LDAP.
    >
    > So... how do I do that?


    From your post, it's unclear whether you're trying to do this on the
    client side or the server side.

    Can you clarify?

    Jim



    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  3. #3
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    On Tue, 11 Sep 2012 22:36:01 +0000, puregore wrote:
    From your post, it's unclear whether you're trying to do this on the
    client side or the server side.

    Can you clarify?
    oops, sorry...

    I want to disable TLS/SSSD on the client-side. Our LDAP server (SLES 11) is not configured for TLS. Up until opensuse 12.1, we always had the option of disabling TLS on the client side. Now all of a sudden that option is gone and we can no longer hook opensuse 12.2 into our existing infrastructure.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  4. #4
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,873

    Default Re: How Do I Disable TLS for LDAP?

    On Wed, 12 Sep 2012 17:36:02 +0000, puregore wrote:

    > hendersj;2486458 Wrote:
    >> On Tue, 11 Sep 2012 22:36:01 +0000, puregore wrote:
    >> From your post, it's unclear whether you're trying to do this on the
    >> client side or the server side.
    >>
    >> Can you clarify?
    >>

    > oops, sorry...


    No problem - are you using it for user management (using PAM), or in some
    other capacity?

    Also, just to be sure you're aware - you do know that running LDAP
    without TLS puts everything in the clear on the wire (and is thus a
    security risk), yes? (My background is largely directory/LDAP/identity
    related so this is something I'm quite familiar with).

    To disable it for PAM (for example), you'll probably need to modify the
    configuration file (/etc/ldap.conf) directly. Just enable the "ssl"
    parameter and set it to "off", and that should do it.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  5. #5
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    No problem - are you using it for user management (using PAM)
    Yes, our authentication system uses LDAP to log users in and mount their home directory from the server over NFS. It's a very reliable system we've been using for many years, and I'm hesitant to try and make any changes to it in case I screw it up.

    Quote Originally Posted by hendersj View Post
    Also, just to be sure you're aware - you do know that running LDAP
    without TLS puts everything in the clear on the wire (and is thus a
    security risk), yes? (My background is largely directory/LDAP/identity
    related so this is something I'm quite familiar with).
    Yep, well aware of this. It's never been much of an issue since our internal network isn't accessible from the outside world. Having said that, I'd love nothing more than to configure the server to use TLS, but every attempt I've made to enable it has failed miserably in the past. I've followed every guide out there, and nothing's ever worked. So we just stuck with a TLS-less LDAP all these years.

    Ironically, this has caused a kind of "vendor lock-in" for us since openSUSE was the only distro left that allowed us to disable TLS on the client side... until now. That's the only reason why we run openSUSE exclusively on all our workstations

    Quote Originally Posted by hendersj View Post
    To disable it for PAM (for example), you'll probably need to modify the
    configuration file (/etc/ldap.conf) directly. Just enable the "ssl"
    parameter and set it to "off", and that should do it.
    Actually, I'm pretty sure some of the required modules for TLS-less LDAP aren't even installed anymore, like nss-pam-ldapd
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  6. #6
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,873

    Default Re: How Do I Disable TLS for LDAP?

    On Wed, 12 Sep 2012 21:36:01 +0000, puregore wrote:

    > hendersj;2486501 Wrote:
    >> Also, just to be sure you're aware - you do know that running LDAP
    >> without TLS puts everything in the clear on the wire (and is thus a
    >> security risk), yes? (My background is largely directory/LDAP/identity
    >> related so this is something I'm quite familiar with).

    >
    > Yep, well aware of this. It's never been much of an issue since our
    > internal network isn't accessible from the outside world. Having said
    > that, I'd love nothing more than to configure the server to use TLS, but
    > every attempt I've made to enable it has failed miserably in the past.
    > I've followed every guide out there, and nothing's ever worked. So we
    > just stuck with a TLS-less LDAP all these years.


    Might be worth investigating why using TLS-based LDAP isn't working.
    What's the LDAP server that you're using?

    > hendersj;2486501 Wrote:
    >> To disable it for PAM (for example), you'll probably need to modify
    >> the
    >> configuration file (/etc/ldap.conf) directly. Just enable the "ssl"
    >> parameter and set it to "off", and that should do it.

    > Actually, I'm pretty sure some of the required modules for TLS-less LDAP
    > aren't even installed anymore, like nss-pam-ldapd


    nss-pam-ldapd is in the repository - my 12.2 default installation doesn't
    have it, but I can install it.

    Same with pam_ldap - that package wasn't installed by default, but I
    could install it with zypper. But it does seem that that package
    conflicts with nss-pam-ldapd, looks to be an either-or setup (probably
    two packages that provide similar functionality)

    I may have some time over the weekend to set it up and see if I run into
    the same issues you have.

    I've been meaning to play around with this (I have an eDirectory server
    at home myself, but as long as the rfc2307 extensions are installed that
    or the openldap server - or any LDAP server, for that matter - should
    work fine.

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  7. #7
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    On Wed, 12 Sep 2012 21:36:01 +0000, puregore wrote:
    Might be worth investigating why using TLS-based LDAP isn't working.
    What's the LDAP server that you're using?
    I'm running openldap from SLES11. I've got my certificate files all setup, and the appropriate lines inserted into slapd.conf:

    TLSCertificateFile /etc/ssl/CA/server.crt
    TLSCertificateKeyFile /etc/ssl/CA/server.key
    Then I restart the service. But clients can never connect to it using TLS. I'm really not sure what else I need to get it working. It seems pretty straightforward.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  8. #8
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    16,873

    Default Re: How Do I Disable TLS for LDAP?

    On Fri, 14 Sep 2012 01:16:01 +0000, puregore wrote:

    > hendersj;2486583 Wrote:
    >> On Wed, 12 Sep 2012 21:36:01 +0000, puregore wrote:
    >> Might be worth investigating why using TLS-based LDAP isn't working.
    >> What's the LDAP server that you're using?
    >>
    >>

    > I'm running openldap from SLES11. I've got my certificate files all
    > setup, and the appropriate lines inserted into slapd.conf:
    >
    >> TLSCertificateFile /etc/ssl/CA/server.crt TLSCertificateKeyFile
    >> /etc/ssl/CA/server.key

    >
    > Then I restart the service. But clients can never connect to it using
    > TLS. I'm really not sure what else I need to get it working. It seems
    > pretty straightforward.


    Obvious things to check - is port 636 open (or are you configured on the
    client to do start_tls, which uses TLS on port 389 after the initial
    connection is made)?

    On the client, especially with newer versions of openSUSE (and the LDAP
    clients), there is a certificate check option that looks to validate the
    trust chain back to a trusted CA. If the CA certificate isn't in the
    trust chain, the connection will fail with an untrusted certificate error
    reported in the logs. (Anything in the logs on the client or the server
    during an authentication attempt?)

    What are the settings for tls_checkpeer in /etc/ldap.conf and TLS_REQCERT
    in /etc/openldap/ldap.conf on the client?

    Jim
    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  9. #9
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    Quote Originally Posted by hendersj View Post
    Obvious things to check - is port 636 open (or are you configured on the
    client to do start_tls, which uses TLS on port 389 after the initial
    connection is made)?
    All ports are open, there's no firewall on either the server or the clients (the firewall is elsewhere).

    Quote Originally Posted by hendersj View Post
    On the client, especially with newer versions of openSUSE (and the LDAP
    clients), there is a certificate check option that looks to validate the
    trust chain back to a trusted CA. If the CA certificate isn't in the
    trust chain, the connection will fail with an untrusted certificate error
    reported in the logs. (Anything in the logs on the client or the server
    during an authentication attempt?)

    What are the settings for tls_checkpeer in /etc/ldap.conf and TLS_REQCERT
    in /etc/openldap/ldap.conf on the client?
    Hmm, the error message I get is:

    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)

    How do I disable this certificate check option? Maybe I'm missing something obvious.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

  10. #10
    Join Date
    Dec 2008
    Location
    Ile-Aux-Noix, QC
    Posts
    57

    Default Re: How Do I Disable TLS for LDAP?

    oops, forgot to mention; the ldap.conf settings on the client are:

    uri ldap://server01
    base dc=home,dc=projectgmc,dc=com
    TLS never

    Those settings are all there from Yast, I didn't edit any of them manually.
    Frank Gore
    - '78 Trans Am, Pontiac 400... oops, wrong forum!
    - 2008 Kona Hoss, custom built from scratch... oops, wrong forum again!
    ...bah! Forget it! Who needs a sig anyways?

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •