Results 1 to 5 of 5

Thread: How to setup LDAP

  1. #1

    Default How to setup LDAP

    I have several computers on a small network that I recently upgraded from 11.2 to 13.1. Previously I was using LDAP, without TLS, to maintain the users and passwords. After the upgrade I am trying to recreate the database but I always and getting connection problems. From what I've been able to figure out, somewhere along the way between 11.2 and 13.1 they made it mandatory for LDAP clients to connect to the server using TLS/SSL even if you uncheck the box in the YaST ldap client module. I've tried two things:
    First, I tried to setup TLS/SSL certificates following the instructions at
    Code:
    http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_obsolete.html
    and at
    Code:
    http://www.zarafa.com/wiki/index.php/Configure_OpenLDAP_with_SSL/TLS
    Depending on how I have the configuration setup it either gives me error
    Code:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
    or it says something about "hostname does not match CN in peer certificate".
    Second, I tried to patch up the client to work without TLS using the instructions at
    Code:
    https://forums.opensuse.org/english/get-technical-help-here/install-boot-login/478283-how-do-i-disable-tls-ldap.html
    That just plain didn't work. It made the computer take forever to boot and login and still wouldn't let me become one of the LDAP users.
    Also, the very first symptom that I noticed on these computer is that if I have a bash shell up as root I can su to an LDAP user, but if I'm a local user and I try to su to an LDAP user it says something about "unable to authenticate". So it sees the server and knows that the user exists, but it isn't talking right.
    Right now, the computer I am working on is both the LDAP server and a client. Once I get it working on this machine I'll duplicate the configuration to the other computers.
    Honestly if anyone could point me to a current manual on how to install LDAP or configure certificates that would be appreciated. Everything I have been able to find is mostly out of date. For instance I've found things that say to edit slapd.conf, but it isn't being used anymore because the settings are stored in a back-end database.
    Thanks for your help.

  2. #2
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,611

    Default Re: How to setup LDAP

    openSUSE offers a default /etc/openldap/ldap.conf file where you should configure a server and /etc/ldap.conf for configuring the client; you should be able to change the cn entry to match the certificate.

  3. #3

    Default Re: How to setup LDAP

    I got it back to the place where it give me the CN error. I ran:
    Code:
    openssl genrsa -out /etc/pki/trust/anchors/private.pem 2048
    openssl req -new -x509 -key /etc/pki/trust/anchors/private.pem -out /etc/pki/trust/anchors/yoda.pem -days 1095
    update-ca-certificates
    When the "openssl req" command asked for the CN I entered "yoda.mei"
    Then I started up the yast ldap server module and pointed it to the new certificate.
    I added the line "cn yoda.mei" to /etc/openldap/ldap.conf and restarted the ldap service.
    I copied the yoda.pem file to a common area, opened the yast ldap client module, and pointed it to the new certificate. It gives me the error
    Code:
    TLS: hostname does not match CN in peer certificate
    I think I'm either entering the wrong thing for the CN or I'm using the wrong syntax in the ldap.conf file or both.

  4. #4
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,611

    Default Re: How to setup LDAP

    cn stands for common name or canonical name; “yoda.mei” doesn't seem at first sight to fit that description.
    I would assume that hostname refers to the site where the server is running, either /etc/HOSTNAME or a website.

  5. #5

    Default Re: How to setup LDAP

    That worked, thanks!
    /etc/HOSTNAME says "yoda" so I re-ran all the steps from before, but entered "yoda" instead of "yoda.mei". I accidentally forgot to update the cn entry in the ldap.conf file and it started giving me the self-signed error, but after fixing that it started working with no issues.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •