Re: CentOS7: Setting up ldap over TLS in kickstart file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thu, 14 Jun 2018, Patrick Begou wrote:

Hi,

I'm facing a problem with setting up LDAP+TLS client authentication in a kickstart script on CentOS7 for several days.

Setting up manualy the config with system-config-authentication works but I need to automate this in kickstart for deploying cluster nodes.
This show that the server side is running fine.

At this time the message is

#systemctl status sssd

| ....
sssd[be[default]][2732]: Could not start TLS encryption. error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)|

In my kickstart file I use:
auth  --useshadow --enableldaptls --enablecache  --passalgo=sha512 --enableldap --enableldapauth --ldapserver="ldaps://my.ldap.server.fr" --ldapbasedn=dc=my,dc=base,dc=dn

Then in a post install script I download the server and ca certificates and stops nslcd that I do not use:

echo "TLS_REQCERT allow">>/etc/openldap/ldap.conf
cd /etc/openldap/cacerts/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/ca-bundle.crt && ln -s ca-bundle.crt $(openssl x509 -hash -in ca-bundle.crt -noout).0 cd /etc/openldap/certs/ && wget http://xxx.xxx.xxx.xxx/Softwares7/LDAPCERTS/server.crt
cd /
systemctl disable nslcd

I'm unable to see what system-config-authentication is doing more in it's setup.

Thanks for your help

I'm a bit stumped. My recipe was similar:

authconfig --enableshadow --passalgo=sha512 --enablefingerprint --enableldap --enableldapauth --ldapserver=ldap.ourcompany.com --ldapbasedn=dc=ourcompany,dc=com --enablecache --enableldaptls

then, in %post:

curl http://www.ourcompany.com/ca/ca.crt \
     -s -o /etc/openldap/cacerts/ca.ourcompany.com.pem
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts


And that did the trick.

The main difference is that you install a bundle of certifcates rather than a single one. There are two issues:

1. Hashing a certificate bundle does no good as far as I know. Hashes
   only work on a single cert, right?

2. Unless told otherwise, openssl looks in only one place for a cert
   bundle: ${OPENSSLDIR}/cert.pem (where the value of OPENSSLDIR can
   be discovered by running "openssl version -d").

You might take a peek at the ldap_tls_cacertdir discussion in the sssd-ldap(5) man page, which specifies that certificates should be in individual files.

My suggestion would be to isolate the CA certificate used to sign your LDAP server certs, install that as a separate file in ldap_tls_cacertdir, and run cacertdir_rehash to get the hash correct.

--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux