Results 1 to 6 of 6

Thread: LDAP Client refise to use TLS, but ldapsearch is working...

  1. #1

    Default LDAP Client refise to use TLS, but ldapsearch is working...

    Hello,

    LDAP server :
    I've to connect to a Debian LDAP server to authenticate users.
    I made on it a CA certificate and with it I signed a Server Certificate, and a Client one.
    It needs clients to use ldaps !

    LDAP client not working :
    I've as always an OpenSuSE server, 13.1 this time.
    I user Yast LDAP Client to use LDAP for User Authentication.
    I imported from the LDAP server the CA certificate and gave it to Yast LDAP Client module, in the SSL/TLS Configuration pane.
    I celected "Use TLS for Identity Resolve" but need SSL (ldaps).

    But when I click OK to save my configuration, I get this error :
    "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)"
    If I made a CA certificate on Debian, that signed a Server Certificate used by Debian LDAP server, why does it say "self signed certificate" ?

    ldapsearch :
    So I searched Internet during hours.

    I put in /etc/openldap/ldap.conf "TLS_REQCERT never".
    I'd like not to do this, but because of the "self signed certificate" error, I need to do it to get ldapsearch working.
    Again I don't undestand why it's "self signed certificate".
    I tried : ldapsearch -H ldaps://xxxxxxxxxxx -D "uid=xxxxxxxxxxxxxxxx,o=xxxxxxxxx" -W -d 1
    And it exits with success !

    Errors :
    But Yast LDAP Client TLS certificates make this error ("error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)").
    And tring to connect why ssh and a LDAP account give me :
    2014-06-24T10:36:31.217794+02:00 vijet sshd[32403]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.42 user=vincent.marechal
    2014-06-24T10:36:31.218378+02:00 vijet sshd[32403]: pam_sss(sshd:auth): received for user vincent.marechal: 10 (User not known to the underlying authentication module)
    2014-06-24T10:36:33.760763+02:00 vijet sshd[32401]: error: PAM: User not known to the underlying authentication module for illegal user vincent.marechal from 172.16.0.42
    2014-06-24T10:36:33.761517+02:00 vijet sshd[32401]: Failed keyboard-interactive/pam for invalid user vincent.marechal from 172.16.0.42 port 49791 ssh2

    I can use my Debian LDAP server from other server with pam_ldap, and connect then to it with ssh.
    I my openSuSE, I can make a ldapsearch, but needs "TLS_REQCERT never"
    But openSuSE uses pam sssd module and I can't get it to work.

    I'm lost, and it was the last point to configure to have my whole server and services to work for my school.
    I hope someone can help me.

    Thanks in advance,

    Vincent MARECHAL

  2. #2
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,012

    Default Re: LDAP Client refise to use TLS, but ldapsearch is working...

    Shouldn't you have "TLS_REQCERT allow" instead of never if you're using self-signed certificates?
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  3. #3

    Default Re: LDAP Client refise to use TLS, but ldapsearch is working...

    Hello Miuku,

    Thanks a lot for your reply.
    Well, I did not have "TLS_REQCERT" in the ldap.conf and ldapsearch wasn"t working, giving the self-signed error.

    Then I put this : "TLS_REQCERT never" and it worked...
    But if I should put "TLS_REQCERT allow", I put it, as I saw in a novell page.

    ldapsearch is working.
    But it's this Yast LDAP Client that is giving me problems. It installs sssd.
    I use LDAP for User Authentication and select "Use TLS for Identity Resolve".
    But when clicking OK, I get "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)".

    And I don't understand, if I made a CA certificate on my Debian, and then made a signed Server certificate, and used it in my slapd, why I get this self-signed error on the Yast LDAP Client on my suse... ?


    Thanks again.
    Kind regards,

    Vincent MARECHAL

  4. #4
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,012

    Default Re: LDAP Client refise to use TLS, but ldapsearch is working...

    You should place the certificate in the trusted store, take a looksee here for instructions/hints:

    https://forums.opensuse.org/showthre...ed-self-signed
    and
    https://forums.opensuse.org/showthre...il-server-ldap
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  5. #5

    Default Re: LDAP Client refise to use TLS, but ldapsearch is working...

    Hello Miuku,

    I found these two pages, tested all what I found (well, I think so).
    I tried the post 9 of the second one, as offered in the first page.

    Without success.

    I passed a lot of hours searching.
    It's all working with ldapsearch, and with other serveurs and client softwares.

    But openSuSE LDAP Client is the only one using sssd, and I don't know if it is connected.

    Thanks again.
    Kind regards,

    Vincent MARECHAL

  6. #6

    Default Re: LDAP Client refise to use TLS, but ldapsearch is working...

    Hello,

    I made again all configs in a new 13.1
    I made new CA, and server certificates in my debian LDAP server.

    In 13.1, in Yast LDAP Client, I keep getting :
    "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)"

    I searched the Internet a lot more.
    I tried a lot of things.
    Nothing gave me the solution.

    I put TLS_REQCERT allow in /etc/openldap/ldap.conf
    no matter, I have the same error.

    Please help.
    Thanks,

    Vincent

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •