Installing LDAP, TLS problems, openSUSE 12.2

I want to setup LDAP, initially for authentication (later for NIS like functions). I am having difficulty with the TLS feature in the Yast LDAP Server and Yast LDAP Client setup dialogs.

I have been operating two comparable openSUSE 12.2 (64) computers. At present the two machines are independent of each other and each uses it own password authentication.

What I want to do is to setup an LDAP server and LDAP client on one machine using the Yast LDAP Service and Yast LDAP Client setup dialogs. After I am comfortable with that installation and have experimented with LDAP on that machine, I want to create an LDAP client (with Yast LDAP Client) on the second machine and use then use the LDAP server to authenticate for both machines.

Both Yast LDAP Service and Yast LDAP Client require TLS to work. I am having difficulties setting up the TLS and getting the Yast LDAP Server and Yast LDAP Client installations on the same computer to recognize each other. So far the only internet information I can find about openSUSE and TLS for LDAP involves people who want an option to avoid TLS. I just want to set up the server and client in the manner set out in Chapter 4 of the openSUSE 12.2 Security Guide.

Using YAST LDAP Server, I think I have set up the LDAP Server properly. I created a Root CA and server certificate with YAST CA Management and imported that into YAST Common Server Certificate (generally as described in Chapter 15 of the Security Guide). YAST LDAP Server recognizes that a Common Server Certificate had been created and imported the Common Server Certificate information into the the TLS entry blocks in YAST LDAP Server dialog. The YAST LDAP Server dialog completed without error.

The Yast LDAP Client is different story. Frankly, I don’t understand enough about certificates, TLS, and the location of the pertinent files to know exactly what information should be entered in the Yast LDAP Client entry blocks for TLS. The Security Guide, p.55, merely states: “4. If TLS or SSL-protected communication with the server is required select* LDAP TLS/SSl*. Click Download CA Certificate to download a certificate in PEM format from a URL.” The dialog to do this asks for specific file locations** or** a URL. I don’t know what the properly file locations are. So far my guesses about the files have all resulted in a error message (after executing “finish” in the YAST LDAP Client dialogs) to the effect that the TLS information is incorrect and no connection with the server has been made.

What I need to know includes:

  1. What TLS entries should be made in Yast LDAP Client dialogs?

  2. Am I missing some important step,* e.g.* Yast CA Management allows a Root CA to create a “client certificate” (I didn’t create such a certificate because I didn’t see anything on how it is used)?

  3. After I get the server and client on the first machine working, how do I configure YAST LDAP Client on the second machine to connect to the server on the first machine?

Any help will be appreciated.

  1. Address of LDAP Servers - as in common name of server’s certificate. and it should be real server’s host name. like this:
srv:~ # hostname --long
  1. because both ldap server and client are located on the same machine In SSL/TLS configuration just indicate CA certificate and dir.,
    Cerificate Directory: /etc/ssl/certs
    CA Certificate FIle: /etc/ssl/certs/YaST-CA.pem
  2. In Advanced Configuration/Administration Settings check Administrator DN. It should be like: cn=Administrator,dc=example,dc=com
  3. Save all the settings and open LDAP Browser, after entering the password it should open the DB OK

you can google about PKI infrastructure. You don’t need a client certificate for setup of LDAP. It is used for example for client authentication in a web server.

I didn’t try because I didn’t need this, but it should be the same configuration as above (don’t forget to add firewall exclusion for ldap server and add ldap sever host name in /etc/hosts and check that it is accessible), except TLS conf. if you can put CA cert on a web server then you can press Download CA Certificate and it should aromatically configured, or you could do it manually.