LDAP on FC3 - buggy or is it me?!

From: Mark (msalists_at_gmx.net)
Date: 06/30/05

  • Next message: Julius Smith: "Re: FC4 good new tech, bad legacy support" 
    To: <fedora-list@redhat.com>
Date: Thu, 30 Jun 2005 14:06:59 -0700

    Hi everybody,

    I have been fighting with FC3 for a while now, trying to get authentication to work via LDAP.
    The configuration that worked under FC1 (using TLS) did not work under FC3, apparently because FC1 would do TLS without verifying
    the server certificate, whereas FC3 had this security whole closed. So I got to a point where my certificates where fine and FC3
    would do LDAP via TLS for everything (finger, getent, ldapsearch, etc), except for the logon password authentication.

    Finally, I found the solution by accident, and it has to do with using the "host" vs "URI" directive:
    The only way I can login to the system is with /etc/ldap.conf using "host":

    base dc=mydomain,dc=com
    host ldap1.hq.mydomain.com:636
    pam_password md5
    ssl yes
    TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem

    "ldapsearch -x", however, only works with the "URI" directive in /etc/openldap/ldap.conf:

    base dc=mydomain,dc=com
    URI ldaps://ldap1.hq.mydomain.com
    pam_password md5
    ssl yes
    TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem

    Does anybody know what is going on with this? Is this just a bug in openLDAP?
    What is really the difference between these two ways?

    I saw a post somewhere saying that the openLDAP version shipped with FC3 is rather buggy and unstable. Unfortunately, there is no
    update available. I tried installing the FC4 openLDAP RPMs, but had too many problems with missing libcrypto and other libraries,
    and I dont want to mess up the rest of the system by trying to patch in FC4 RPMs...

    BTW, in case this gives any more clues: the only way I got phpLDAPAdmin (0.9.6c) to work is this:
    $servers[$i]['name'] = 'ldap1.hq';
    $servers[$i]['host'] = 'ldaps://ldap1.hq.mydomain.com';
    $servers[$i]['base'] = 'dc=mydomain,dc=com';
    $servers[$i]['port'] = 636;
    $servers[$i]['auth_type'] = 'session';
    $servers[$i]['login_dn'] = 'cn=Administrator,dc=mydomain,dc=com';
    $servers[$i]['login_pass'] = 'secret';
    $servers[$i]['tls'] = false;
    $servers[$i]['low_bandwidth'] = false;
    $servers[$i]['default_hash'] = 'ssha';
    $servers[$i]['login_attr'] = 'dn';
    $servers[$i]['login_string'] = 'uid=<username>,ou=People,dc=example,dc=com';
    $servers[$i]['login_class'] = '';
    $servers[$i]['read_only'] = false;
    $servers[$i]['show_create'] = true;
    $servers[$i]['disable_anon_bind'] = false;
    $servers[$i]['custom_pages_prefix'] = 'custom_';
    $servers[$i]['unique_attrs_dn'] = '';
    $servers[$i]['unique_attrs_dn_pass'] = '';

    Thanks,

    MARK 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Julius Smith: "Re: FC4 good new tech, bad legacy support"

    Relevant Pages