Results 1 to 8 of 8

Thread: Authentication Server / LDAP / Directory Server

  1. #1

    Default Authentication Server / LDAP / Directory Server

    Hi
    This seems incurably broken! It looks like openldap has been replaced by directory server, but the documentation has not been updated. I have tried repeatedly, but cannot seem to make this work, and I am particularly struggling to find enough documentation about the TLS certificate side of things, which is where it seems to trip up.
    Has anybody got this working at all? If so can you give me some pointers?
    Many thanks.

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,797
    Blog Entries
    1

    Default Re: Authentication Server / LDAP / Directory Server

    AFAIK there hasn't been many significant changes from LEAP 15.0 to 15.1 regarding this topic, but is an enormous change from what existed before.

    Current documentation which should work...

    Overall Security docs
    https://doc.opensuse.org/documentati....security.html

    LDAP related starts with section 4 in the above, link below
    https://doc.opensuse.org/documentati...rity.auth.html

    For setting up TLS specifically,
    See step 4 in the "Procedure 4.2" section at the following link
    And assumes you have your certificate created and ready to use (noting that the YaST CA module may be missing or not functional)
    https://doc.opensuse.org/documentati...ver.config.tls


    If you think that the docs really don't make sense, post some specifics for people to take a look at...

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Smile Re: Authentication Server / LDAP / Directory Server

    Quote Originally Posted by tsu2 View Post
    AFAIK there hasn't been many significant changes from LEAP 15.0 to 15.1 regarding this topic, but is an enormous change from what existed before.

    Current documentation which should work...
    ....deleted...
    If you think that the docs really don't make sense, post some specifics for people to take a look at...

    TSU
    I have tried both 15.0 and 15.1, with the same results. This is my first experience of SUSE in about 15 years - have been in the debian / Ubuntu world in that time, so not entirely sure of all the details and how things work!!

    I believe the docs show all the old style yast interface to openldap, wheres the new option in yast looks entirely different.

    It insists on having TLS certificates before it will continue, and when it does go it creates the database but fails with the following message:

    [13/Jun/2019:20:43:41.488638314 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requestsYour new directory server has been started.
    Your new DS instance 'SWORD_LDAP' was successfully created.
    Exiting . . .
    Log file is '/tmp/setupQB_L_H.log'


    2019-06-13 20:43:41 +0100
    2019-06-13 20:43:41 +0100
    pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
    pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

    So, it downloads and installs ds-389 server (not openldap) and tries to configure it, but fails.
    If I go back into the create option in yast, it fails again, this time because the server already exists.
    I cannot communicate with the server because the authentication does not work, and there is NO documentation that I can find that relates to DS-389 and opensuse, so I can't even figure out what to do from the command line - which I am trying to avoid by moving to opensuse !!
    There is no option within yast to edit the configuration of the server anywhere, and if I try to connect to it in the user and group management option, that fails too - the server is running but is not contactable. It's configuration is stored internally (no config files) so I cannot see how to move forwards with this.

    Any help is much appreciated, as I am keen to make the move rather than go back to the ubuntu world.
    Thanks

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,797
    Blog Entries
    1

    Default Re: Authentication Server / LDAP / Directory Server

    How was your certificate created, where did it come from and how is it managed?
    Your error suggests that you may have problems using the certificate.

    xca was recommended to manage your Domain certificates in this thread, after a brief skim of documentation I support it, too.

    BTW -
    Tom make console results more legible, it's recommended to enclose them in the CODE tags which is the hash button in the web text editor for this Forum software, results in the following
    Code:
    Console commands and output
    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: Authentication Server / LDAP / Directory Server

    I used command line tools to create the certificates - the setup tool does not ever ask for the password for the certificate (don't know if it should?)
    I also tried it with TinyCA, and got the same result.

    I think you perhaps meant to put in a link to a thread, but it doesn't appear to have worked. I will have a look at xca.
    Thanks

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,797
    Blog Entries
    1

    Default Re: Authentication Server / LDAP / Directory Server

    Quote Originally Posted by gdsword View Post
    I used command line tools to create the certificates - the setup tool does not ever ask for the password for the certificate (don't know if it should?)
    I also tried it with TinyCA, and got the same result.

    I think you perhaps meant to put in a link to a thread, but it doesn't appear to have worked. I will have a look at xca.
    Thanks
    Yes,
    At the time TinyCA did not work (it's news to me if it's working now)
    The discussion when this was discussed

    https://forums.opensuse.org/showthre...a-module-in-15

    See if the certificate used by YaST to set up your Authentication Server can be opened by a normal, non-root User (as a public cert, should be possible and not a security risk).

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: Authentication Server / LDAP / Directory Server

    I have tried with xca several times and always end up with a message
    Code:
    2019-06-18 12:39:38 +0100
    certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
    As far as I can tell the certificates can be opened ok, although the above message suggests something wrong in how the certificate is formatted - maybe it is something specific that xca and tinyca cannot handle?
    I have found some redhat instructions using certutil - I will try that when I get a chance, and see if it works any better.
    Thanks

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    10,797
    Blog Entries
    1

    Default Re: Authentication Server / LDAP / Directory Server

    Quote Originally Posted by gdsword View Post
    I have tried with xca several times and always end up with a message
    Code:
    2019-06-18 12:39:38 +0100
    certutil: could not decode certificate: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
    As far as I can tell the certificates can be opened ok, although the above message suggests something wrong in how the certificate is formatted - maybe it is something specific that xca and tinyca cannot handle?
    I have found some redhat instructions using certutil - I will try that when I get a chance, and see if it works any better.
    Thanks
    I don't know if DER has changed over time...
    But on the chance it has,
    Is your CA server running on the same machine as your LDAP authentication server, or the same distro and version?

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •