LDAP server :
I’ve to connect to a Debian LDAP server to authenticate users.
I made on it a CA certificate and with it I signed a Server Certificate, and a Client one.
It needs clients to use ldaps !
LDAP client not working :
I’ve as always an OpenSuSE server, 13.1 this time.
I user Yast LDAP Client to use LDAP for User Authentication.
I imported from the LDAP server the CA certificate and gave it to Yast LDAP Client module, in the SSL/TLS Configuration pane.
I celected “Use TLS for Identity Resolve” but need SSL (ldaps).
But when I click OK to save my configuration, I get this error :
“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”
If I made a CA certificate on Debian, that signed a Server Certificate used by Debian LDAP server, why does it say “self signed certificate” ?
So I searched Internet during hours.
I put in /etc/openldap/ldap.conf “TLS_REQCERT never”.
I’d like not to do this, but because of the “self signed certificate” error, I need to do it to get ldapsearch working.
Again I don’t undestand why it’s “self signed certificate”.
I tried : ldapsearch -H ldaps://xxxxxxxxxxx -D “uid=xxxxxxxxxxxxxxxx,o=xxxxxxxxx” -W -d 1
And it exits with success !
But Yast LDAP Client TLS certificates make this error (“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)”).
And tring to connect why ssh and a LDAP account give me :
2014-06-24T10:36:31.217794+02:00 vijet sshd: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.42 user=vincent.marechal
2014-06-24T10:36:31.218378+02:00 vijet sshd: pam_sss(sshd:auth): received for user vincent.marechal: 10 (User not known to the underlying authentication module)
2014-06-24T10:36:33.760763+02:00 vijet sshd: error: PAM: User not known to the underlying authentication module for illegal user vincent.marechal from 172.16.0.42
2014-06-24T10:36:33.761517+02:00 vijet sshd: Failed keyboard-interactive/pam for invalid user vincent.marechal from 172.16.0.42 port 49791 ssh2
I can use my Debian LDAP server from other server with pam_ldap, and connect then to it with ssh.
I my openSuSE, I can make a ldapsearch, but needs “TLS_REQCERT never”
But openSuSE uses pam sssd module and I can’t get it to work.
**I’m lost, and it was the last point to configure to have my whole server and services to work for my school.
I hope someone can help me.
Thanks in advance,