opensuse 12.2 seems to be missing the option to disable TLS/SSSD for LDAP. This option was always present before, and now it’s gone. There’s already a bug report for it (since RC2), but no workaround described anywhere. I can’t connect opensuse 12.2 to my infrastructure until I can disable TLS for LDAP.
So… how do I do that?
On Tue, 11 Sep 2012 22:36:01 +0000, puregore wrote:
> opensuse 12.2 seems to be missing the option to disable TLS/SSSD for
> LDAP. This option was always present before, and now it’s gone. There’s
> already a bug report for it (since RC2), but no workaround described
> anywhere. I can’t connect opensuse 12.2 to my infrastructure until I can
> disable TLS for LDAP.
>
> So… how do I do that?
From your post, it’s unclear whether you’re trying to do this on the
client side or the server side.
Can you clarify?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
oops, sorry…
I want to disable TLS/SSSD on the client-side. Our LDAP server (SLES 11) is not configured for TLS. Up until opensuse 12.1, we always had the option of disabling TLS on the client side. Now all of a sudden that option is gone and we can no longer hook opensuse 12.2 into our existing infrastructure.
On Wed, 12 Sep 2012 17:36:02 +0000, puregore wrote:
> hendersj;2486458 Wrote:
>> On Tue, 11 Sep 2012 22:36:01 +0000, puregore wrote:
>> From your post, it’s unclear whether you’re trying to do this on the
>> client side or the server side.
>>
>> Can you clarify?
>>
> oops, sorry…
No problem - are you using it for user management (using PAM), or in some
other capacity?
Also, just to be sure you’re aware - you do know that running LDAP
without TLS puts everything in the clear on the wire (and is thus a
security risk), yes? (My background is largely directory/LDAP/identity
related so this is something I’m quite familiar with).
To disable it for PAM (for example), you’ll probably need to modify the
configuration file (/etc/ldap.conf) directly. Just enable the “ssl”
parameter and set it to “off”, and that should do it.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Yes, our authentication system uses LDAP to log users in and mount their home directory from the server over NFS. It’s a very reliable system we’ve been using for many years, and I’m hesitant to try and make any changes to it in case I screw it up.
Yep, well aware of this. It’s never been much of an issue since our internal network isn’t accessible from the outside world. Having said that, I’d love nothing more than to configure the server to use TLS, but every attempt I’ve made to enable it has failed miserably in the past. I’ve followed every guide out there, and nothing’s ever worked. So we just stuck with a TLS-less LDAP all these years.
Ironically, this has caused a kind of “vendor lock-in” for us since openSUSE was the only distro left that allowed us to disable TLS on the client side… until now. That’s the only reason why we run openSUSE exclusively on all our workstations rotfl!
Actually, I’m pretty sure some of the required modules for TLS-less LDAP aren’t even installed anymore, like nss-pam-ldapd
On Wed, 12 Sep 2012 21:36:01 +0000, puregore wrote:
> hendersj;2486501 Wrote:
>> Also, just to be sure you’re aware - you do know that running LDAP
>> without TLS puts everything in the clear on the wire (and is thus a
>> security risk), yes? (My background is largely directory/LDAP/identity
>> related so this is something I’m quite familiar with).
>
> Yep, well aware of this. It’s never been much of an issue since our
> internal network isn’t accessible from the outside world. Having said
> that, I’d love nothing more than to configure the server to use TLS, but
> every attempt I’ve made to enable it has failed miserably in the past.
> I’ve followed every guide out there, and nothing’s ever worked. So we
> just stuck with a TLS-less LDAP all these years.
Might be worth investigating why using TLS-based LDAP isn’t working.
What’s the LDAP server that you’re using?
> hendersj;2486501 Wrote:
>> To disable it for PAM (for example), you’ll probably need to modify
>> the
>> configuration file (/etc/ldap.conf) directly. Just enable the “ssl”
>> parameter and set it to “off”, and that should do it.
> Actually, I’m pretty sure some of the required modules for TLS-less LDAP
> aren’t even installed anymore, like nss-pam-ldapd
nss-pam-ldapd is in the repository - my 12.2 default installation doesn’t
have it, but I can install it.
Same with pam_ldap - that package wasn’t installed by default, but I
could install it with zypper. But it does seem that that package
conflicts with nss-pam-ldapd, looks to be an either-or setup (probably
two packages that provide similar functionality)
I may have some time over the weekend to set it up and see if I run into
the same issues you have.
I’ve been meaning to play around with this (I have an eDirectory server
at home myself, but as long as the rfc2307 extensions are installed that
or the openldap server - or any LDAP server, for that matter - should
work fine.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
I’m running openldap from SLES11. I’ve got my certificate files all setup, and the appropriate lines inserted into slapd.conf:
TLSCertificateFile /etc/ssl/CA/server.crt
TLSCertificateKeyFile /etc/ssl/CA/server.key
Then I restart the service. But clients can never connect to it using TLS. I’m really not sure what else I need to get it working. It seems pretty straightforward.
On Fri, 14 Sep 2012 01:16:01 +0000, puregore wrote:
> hendersj;2486583 Wrote:
>> On Wed, 12 Sep 2012 21:36:01 +0000, puregore wrote:
>> Might be worth investigating why using TLS-based LDAP isn’t working.
>> What’s the LDAP server that you’re using?
>>
>>
> I’m running openldap from SLES11. I’ve got my certificate files all
> setup, and the appropriate lines inserted into slapd.conf:
>
>> TLSCertificateFile /etc/ssl/CA/server.crt TLSCertificateKeyFile
>> /etc/ssl/CA/server.key
>
> Then I restart the service. But clients can never connect to it using
> TLS. I’m really not sure what else I need to get it working. It seems
> pretty straightforward.
Obvious things to check - is port 636 open (or are you configured on the
client to do start_tls, which uses TLS on port 389 after the initial
connection is made)?
On the client, especially with newer versions of openSUSE (and the LDAP
clients), there is a certificate check option that looks to validate the
trust chain back to a trusted CA. If the CA certificate isn’t in the
trust chain, the connection will fail with an untrusted certificate error
reported in the logs. (Anything in the logs on the client or the server
during an authentication attempt?)
What are the settings for tls_checkpeer in /etc/ldap.conf and TLS_REQCERT
in /etc/openldap/ldap.conf on the client?
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
All ports are open, there’s no firewall on either the server or the clients (the firewall is elsewhere).
Hmm, the error message I get is:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
How do I disable this certificate check option? Maybe I’m missing something obvious.
oops, forgot to mention; the ldap.conf settings on the client are:
uri ldap://server01
base dc=home,dc=projectgmc,dc=com
TLS never
Those settings are all there from Yast, I didn’t edit any of them manually.
ack! That did it, I ruined everything. Was trying to work with certificates to try and get things functioning, and the whole shebang went to hell and died. I knew I never should’ve touched any of this stuff. Now all our LDAP data has been destroyed. Luckily I have backups that I can restore, but what a pain…
Honestly, the option to disable TLS on the client should just have been retained. I knew very well how insecure my setup was, and it didn’t matter one bit. This change essentially broke compatibility with the default SLES behaviour. Not cool. We’ve been running this setup for endless years without a hickup, I hate it when changes are imposed on me supposedly “for my own good”.
Great, even after I restored my backups from 4 days ago (before I started any of this), the LDAP server is completely hosed and refuses to start. No useful error message, no clue what’s going wrong, it just doesn’t work. I swear it seems like it’s ignoring anything I put in the slapd.conf file and doing whatever it wants. Nothing I change in slapd.conf makes any difference whatsoever.
I can’t believe I touched any of this ****. I already knew it would break the moment I tried to change it. I never should’ve touched opensuse 12.2. Apparently I didn’t learn my lesson after 12.1. I’m completely screwed, and everyone’s yelling at me.
On Fri, 14 Sep 2012 12:36:02 +0000, puregore wrote:
>> What are the settings for tls_checkpeer in /etc/ldap.conf and
>> TLS_REQCERT in /etc/openldap/ldap.conf on the client?
>
> Hmm, the error message I get is:
>
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed (self signed certificate in certificate chain)
>
> How do I disable this certificate check option? Maybe I’m missing
> something obvious.
The TLS_REQCERT and tls_checkpeer options are related to this.
I see from your later posts that you’ve got some additional server-side
issues now - while it is SLES and not openSUSE, first question is what
did you change on the server side?
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
I changed the certificate info to some other ones I had just created manually. Yast allowed me to make and save the change without issues. But it didn’t tell me that openldap failed to restart successfully after the changes. When I tried to use Yast to edit the settings again, it refused to let me because LDAP wasn’t currently running (Catch22… you can’t fix the brokenness because it’s broken).
My backup restores were failing because I was just sending the restored files into the existing directories without deleting the old ones first. Some redundant files from my earlier attempts to fix the problem were causing openldap to fail miserably.
I’m now back at where I was 2 days ago. I have TLS/SSL enabled on the server, and I’m using the “Use Common Server Certificate” option. I’ve copied the certificate file to a client and pointed to it in ldap.conf.
It still doesn’t work. I’m not even sure what the point of slapd.conf is, since any changes I make in Yast are not reflected at all in that file (yet they persist in Yast). I don’t understand what it is that Yast is editing.
On Fri, 14 Sep 2012 19:26:02 +0000, puregore wrote:
> It still doesn’t work. I’m not even sure what the point of slapd.conf
> is,
> since any changes I make in Yast are not reflected at all in that file
> (yet they persist in Yast). I don’t understand what it is that Yast is
> editing.
I’ll give it a shot this weekend and let you know what works when I set
it up. What SP of SLES is the server running? (Just want to make sure
I’m as close to your setup as I can get)
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Thanks! I’d really appreciate it.
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1
On Sat, 15 Sep 2012 00:46:01 +0000, puregore wrote:
> hendersj;2487336 Wrote:
>>
>> I’ll give it a shot this weekend and let you know what works when I set
>> it up. What SP of SLES is the server running? (Just want to make sure
>> I’m as close to your setup as I can get)
>
> Thanks! I’d really appreciate it.
>
> SUSE Linux Enterprise Server 11 (x86_64)
> VERSION = 11 PATCHLEVEL = 1
I’ve just gone through and set up an openldap2 server, and it looks like
the necessary change for TLS to work is to add to /etc/openldap/ldap.conf
on the client the line:
TLS_REQCERT allow
This tells the client to request a certificate but if the certificate is
invalid (ie, the trust chain can’t be verified), that’ll still use the
certificate for encryption. You could also import the CA self-signed
certificate from the server and add it to the chain of trust on the
client (I didn’t configure that, but that’s a standard SSL operation so
should work just fine).
I verified the operation of SSL by running the following command:
ldapsearch -h [serverip] -p 389 -ZZ -x
With the TLS_REQCERT parameter not in the config file, the connection
failed. With it in there, I was able to get results.
The only configuration I did on the server was to create a certificate
and export it as the common certificate for the server, and then using
the YaST text-based interface (I built the server without a GUI on it),
just told it to enable SSL/TLS and to use the server’s common certificate.
Worked like a champ.
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
On Sun, 16 Sep 2012 22:35:34 +0000, Jim Henderson wrote:
> Worked like a champ.
Well, that did it for ldapsearch, which uses that config file.
openSUSE 12.2 uses the “System Security Services Daemon” (sssd), which
uses a different configuration file.
To configure the TLS_REQCERT option for sssd, you need to modify /etc/
sssd/sssd.conf to include (in the domain/default section):
ldap_tls_reqcert = allow
Along with the other settings to enable the use of TLS.
Once I set that up, then I was able to login from a console as well as
from the display manager (I restarted the machine afterwards to make
sure).
You’ll probably also want to use configuration options to map the home
directory - either creating it if it doesn’t exist or using the
automounter - however you’ve got that configured.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Hi There,
Perhaps is this too late, but I have found a workaround :
I had the same issue on my own infrastructure at home… got 3 childrens (each with at least one workstation, some with a laptop too), a wife (workstation, laptop, andoid pad …) , a cat (he is the only one that doesn’t authenticate :-)) ) a couple of servers etc… everybody running openSuSE 12.1. Servers run SLES 11.
The main SLES server owns the LDAP directory, and I authenticate all my home users against the LDAP server home. They have nfs mounts etc, a completely standardized infra.
I understand very well that I should configure LDAPS and SSL on the LDAP server but… things work well for now and I’ll do it one of these days…
When I installed openSuSE12.2 on a VM to test it (before the upgrade campaign) I had exactly the same issue not LDAP TLS check box.
I first tried almost everything to solve that (even copying the ldap, nssswitch and pam.d configs form previous working 12.1 machines).
I have solved it like this :
Login to your workstation as a local user (or root but I would not do that…)
issue a console
su to root and launch
# yast2 ldap-client &
First setup the ldap-client with YaST normally, when the module complains about TLS just accept him to try without TLS. Leave all the TLS/SSL related stuf empty.
When finished, YaST ldap-client will complain about the fact that it will not be able to connect to the ldap server, ignore this and accept to keep the config.
# vi /etc/ldap.conf
locate the line :
ssl start_tls
comment this line with a dash at the beginning and insert a new line :
ssl no
save ldap.conf
#vi /etc/sssd/sssd.conf
locate the line :
ldap_id_use_start_tls = True
comment this line with a dash at the beginning and insert a new line :
ldap_id_use_start_tls = False
save sssd.conf
restart sssd :
# systemctl restart sssd.service
try this :
exit form the root shell, and as normal user
$ yast2 ldap_browser &
enter root password, and you should be prompted for the ldap credentials. put the ldap password and uncheck the LDAP TLS checkbox.
You should be able to navigate into the ldap.
close your session
login using one of the ldap userid, should work like a charm.
I’m in the same boat as puregore with a 12.1 LDAP server for user authentication running without TLS
I’ve made the changes you suggest (Common Server Cert, edit ldap.conf, sssd.conf) and now I can log in from a 12.2 client but things like YaSTs LDAP Client module fail with TLS enabled but will work if TLS is disabled, additionally getent passwd and KDE login show only local users so it’s not a complete solution.
Do you have any further suggestions?
Alan