Re: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rich, et al, hello. Thanks to everybody for all the help to date - quite incredible really.

I've done my research but have nothing positive to report.

I believe I was mistaken when I thought I could simply configure nss_ldap/pam_ldap to use a client SSL cert
when binding to FDS :

http://www.nabble.com/Using-certificate-per-host-to-secure-communication-to-OpenLDAP-td19371786.html

http://www.nabble.com/Using-tls_cert-key-without-rootbinddn-td9089498.html

Apparantly the secure tunel is used, the OS's certificate is 'validated' by FDS but no LDAP bind is performed.

I reckon we'll put the password, in clear text, in the file /etc/ldap.conf and protect the file.

Also, I think one must leave the client's (Linux O/S) secret key-file without a password.

Cdlt, Dave
--------------

Rich, hello and, as ever, thanks for the helpful reply. One very quick question and
a quick technote 'for the record'.
  
< You write, '... It probably won't, unless you either hardcode the clear text password ...' Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf specifically for the keyfile password ?
I have no idea - all I know is that if you need a password to unlock the private key, you need to store it somewhere.
< You write, '... or simply have no key password ...' For the record, I reckon I need the '-noDES' option if I don't want a key file password: openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 7300 -nodes <<EOF
...
EOF
  
For reference: http://www.openssl.org/docs/apps/req.html# I'll let you all know if my PAM-LDAP Linux login works when using client-certificates for binding to LDAP.
Ok. Thanks again,
-----

> Date: Tue, 12 May 2009 09:31:16 -0600
> From: rmegg...@xxxxxxxxxx
> To: fedora-directory-users@xxxxxxxxxx
> CC: lamba...@xxxxxxxxxxx
> Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
>
> lamba...@xxxxxxxxxxx wrote:
> > Hello everybody and, firstly, thanks for your continued support.
> >
> > I hope I've used the correct _expression_/jargon, ie:PAM-LDAP ?
> >
> > PAM-LDAP works with LDAPS and binding with cn=Directory
> > Manager/password hardcoded in /etc/ldap.conf - great stuff.
> Except for the fact that you have the directory manager clear text
> password hardcoded in ldap.conf :-(
> > This was configured using the GUI
> > '/usr/sbin/system-config-authentication' - also great stuff !
> >
> > Symbolic Link pointing to the CA certificate: Q1. I've searched the
> > web but cannot find what purpose the symbolic link serves.
> > ----------------------------------------
> >
> > # ls -toalr /etc/openldap/cacerts
> > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
> > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 ->
> > authconfig_downloaded.pem
> >
> >
> > Client Certificate etc.
> > --------------------------
> > I'm now experimenting with client certificates and have found the
> > following link:
> >
> > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
> >
> > and see the following example lines for the file /etc/ldap.conf:
> > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
> > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
> >
> > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the
> > following command ?
> > Will I have trouble if I specify '-passout' ? I assume it protects the
> > file $FN.key.
> > How will PAM-LDAP open the keystore if I have used a password ?
> It probably won't, unless you either hardcode the clear text password,
> or simply have no key password.
> >
> > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout
> > pass:<password> 0<< EOF >/dev/null 2>&1
> > <SNIP>
> >
> > Q3. ldap.pem: Is this file simply the $FN.pem file created by the
> > following command ?
> >
> > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile
> > $DIR/demoCA/private/cakey.pem \
> > -cert $DIR/demoCA/cacert.pem \
> > -passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
> > <SNIP>
> >
> > Thanks again, cdlt,

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux