HowTO: Setup an LDAP server and Client CentOS 6.2

[harry.setiawan]

Hello Stratus_ss,

Can we use this to create Global Address Book for Microsoft Outlook? I've postfix install in freebsd and currently don't have global address book which I want to create. Read here and there but seems there's no clue on how to set it up for Microsoft Outlook. Only hint I can get is that we can create global address book for Outlook using LDAP. Thanks.

PREAMBLE: OK, so I have been struggling with this for a while because of an "undocumented feature", or at least undocumented from what I could find. I have read 2 RHCE books thus far. Neither of them gave any indication as to what the problem was or how to fix it. I have spent more time that I would like to admit on this problem and thats why I thought I should lay out exactly what I did to get this working

 

[Stratus_ss]

You sure can, though I don't have much experience with what your asking.

IBM often has good tutorials for this sort of thing.

You can also find tutorials for Outlook which also will help you along

EDIT: PHP LDAP Admin has templates and a nice interface for creating address book entries

 

[harry.setiawan]

You sure can, though I don't have much experience with what your asking.

IBM often has good tutorials for this sort of thing.

You can also find tutorials for Outlook which also will help you along

EDIT: PHP LDAP Admin has templates and a nice interface for creating address book entries

Thanks for your reply Stratus.

Actually, I'd used that document as well but to no avail. I mean, seems that my LDAP working as I can get result if I did ldapsearch. I also had register the LDAP in Microsoft Outlook but still Outlook didn't show anything and there's no error message too which make it harder to troubleshoot.

Read in http://technet.microsoft.com/en-us/library/cc179232(v=office.12).aspx that by default Microsoft Outlook 2007 disabled LDAP virtual list view function and we must change the registry but couldn't find which key need to change.

 

[eztarg3t]

We have a mostly 5.x centos environment and we are trying to move to 6.x. The stopping point at this time is setting up 6.3 as an ldap client. I'm at my wits end a bit and don't know where to go from here. I used authconfig to set it up in the same manner as I always have with our 5.x machines. My /etc/openldap/ldap.conf file looks like this:

URI ldap://xxx.xxx.xxx.xxx/
BASE dc=our,dc=base,dc=dc
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow

(with hostname and real base replaced with bogus here)

The /etc/ldap.conf file was not there, but reading through Chapter 10 authentication configuration stuff in red hat's docs I found it had been replaced by /etc/pam_ldap.conf and it looks like this:

base dc=our,dc=base,dc=dc
uri ldap://xxx.xxx.xxx.xxx/
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
pam_password md5

If I try to su - username on the 6.3 client, in the client /var/log/messages it reports:

Oct 19 09:38:41 servername nslcd[1780]: [5558ec] ldap_start_tls_s() failed: Connect error (uri="ldap://xxx.xxx.xxx.xxx/")
Oct 19 09:38:41 chaos nslcd[1780]: [5558ec] failed to bind to LDAP server ldap://xxx.xxx.xxx.xxx/: Connect error
Oct 19 09:38:41 chaos nslcd[1780]: [5558ec] no available LDAP server found

And on our open ldap server it reports:


Oct 19 09:41:06 server slapd[4031]: conn=1861 fd=50 ACCEPT from IP=xxx.xxx.xxx.xxx:50072 (IP=0.0.0.0:389)
Oct 19 09:41:06 server slapd[4031]: conn=1861 op=0 STARTTLS
Oct 19 09:41:06 server slapd[4031]: conn=1861 op=0 RESULT oid= err=0 text=
Oct 19 09:41:06 server slapd[4031]: conn=1861 fd=50 closed (TLS negotiation failure)

I have diffed the files on the 5.x and 6.x machines and they are identical.

If I do a basic ldap search using ldapsearch -x -b "dc=our,dc=base,dc=dc" it returns everything as expected. The logs on the ldap server report:


Oct 19 09:46:50 server slapd[4031]: conn=1871 fd=50 ACCEPT from IP=xxx.xxx.xxx.xxx:50076 (IP=0.0.0.0:389)
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=0 BIND dn="" method=128
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=0 RESULT tag=97 err=0 text=
Oct 19 09:46:50 server slapd[4031]: conn=1871 op=1 SRCH base="dc=our,dc=base,dc=dc" scope=2 deref=0 filter="(objectClass=*)"
Oct 19 09:46:53 server slapd[4031]: conn=1871 op=1 SEARCH RESULT tag=101 err=0 nentries=9805 text=
Oct 19 09:46:54 server slapd[4031]: conn=1871 op=2 UNBIND
Oct 19 09:46:54 server slapd[4031]: conn=1871 fd=50 closed

Additionally I can bind as a particular username and password and it returns results. For some reason it cannot start a tls session and I've exhausted googling and reading redhat docs trying to find out why. I followed your setup which basically was the same as mine with the exception you copied the cert.pem file to the client and put the path to both in your 2 conf files. I reconfigured mine to these specs but the results in the logs were exactly the same. Any help would be greatly appreicated.

 

[Stratus_ss]

I note that you said you follow my setup, however I also note that you have

 tls_cacertdir /etc/openldap/cacerts

Instead of calling the cert specifically

TLS_CACERT /etc/pki/tls/certs/stratus_cert.pem

Have you tried specifying the cert explicitely? I was suffering from the same problem you had until I found the link (which I linked) in the original post

 

[eztarg3t]

Yes, it is currently set to:


URI ldaps://xxx.xxx.xxx.xxx
BASE dc=our,dc=base,dc=dc
TLS_CACERT /etc/openldap/cacerts/cacert.pem

After copying the server cert over.

 

[eztarg3t]

And FWIW, all of my 4.x and 5.x clients I do NOT copy certs over, I just let the client request it with the TLS_REQCERT allow. Just seems so much more efficient than copying certs everywhere and makes upgrading/changing something so much easier. The man page for 6.x indicates this as a valid method of TLS as well, so I can't imagine why it wouldn't work but I did do due diligence to duplicate your success.

 

[eztarg3t]

Ah hah! I found something! I brought up another 6.3 box with X installed, and for some reason after running authconfig on it, instead of just start nscd, it also started some service called sssd (which is not running on the other box without X installed). It did not get me any further to success, but DID give me an error in the logs I was not getting on the other one. This seems to be the culprit, but I don't have a clue what to do about it.



Could not start TLS encryption. TLS error -8172eer's certificate issuer has been marked as not trusted by the user.

Now, another oddity though. When I do the same ldap search command on this box with the ldaps://, I get results back where on the other I do not. BTW, I have this new one set up for TLS_REQCERT = allow..I have not tried copying the cert over yet.

 

[eztarg3t]

All right, copied the cert over, set it up to the path of he cert, turned reqcert off, still no go. It's balking on the trust of the certificate. Is there a way to tell it to accept the certificate?

 

[Stratus_ss]

Just so you know I am reading your questions. If I have time I will see if I can reproduce your errors/investigate them.

I don't have anything concrete to tell you. I have never had to force the certs but I vaguely recall seeing an article about using legacy mode which tries to not use TLS at all

 

[eztarg3t]

Just so you know I am reading your questions. If I have time I will see if I can reproduce your errors/investigate them.

I don't have anything concrete to tell you. I have never had to force the certs but I vaguely recall seeing an article about using legacy mode which tries to not use TLS at all

I've seen that, I don't want any part of it. LOL I WANT to use encryption.

 

[heshammhafez]

Hi Stratus_ss thanks alot for you detailed tutorial it really helpful but i don't know why I have no luck with openldap over ssl and tls never worked with me I'm suffering from the same problem that njohnp3 suffers from I red alot of tutorials and papers but can't configure it i followed the conversation between you and njohnp3 and edit the IP addresses but as I said no luck

 

[Stratus_ss]

Hi hesh,

more detail is required. Does a normal ldap query work (ldap vs ldaps)? posting your config would be helpful

 

[heshammhafez]

yes normal ldap query works fine on both client and server,also there ssl connection established between the client and server but i can't query or authenticate through ssl

server config
/etc/openldap/ldap.conf

TLS_CACERT /etc/pki/tls/certs/samasolutions_cert.pem
URI ldap://ldap.samasolutions.com
BASE dc=samasolutions,dc=com

/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

olcRootPW: {SSHA}YC3HPO2fgFt9pXRVJQumGRhtRPyYX/A/
olcTLSCertificateFile: /etc/pki/tls/certs/samasolutions_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/samasolutions_key.pem

Client
/etc/openldap/ldap.conf

URI ldaps://ldap.samasolutions.com
BASE dc=samasolutions,dc=com
TLS_CACERT /etc/pki/tls/certs/samasolutions_cert.pem

/etc/pam_ldap.conf

host ldap.samasolutions.com
base dc=samasolutions,dc=com
ssl on
ssl start_tls
tls_cacertfile /etc/pki/tls/certs/samasolutions_cert.pem
uri ldaps://ldap.samasolutions.com
tls_cacertdir /etc/openldap/cacerts
pam_password md5

and I copied the certificate edited hosts file to reflect domian

 

[heshammhafez]

Any Hint

 

[Stratus_ss]

You could try an ssl command to querry for the cert

openssl s_client –connect target_server_fqdn:636

That would at least help to determine if the server cert is correct

if i get time tonight/this weekend I will see if i can duplicate your error. For my own info did you follow this guide to the letter (just so that I can reproduce your steps with some degree of accuracy)

if not, can you detail exactly what you did?

 

[heshammhafez]

yes I followed your howto from scratch I even installed new vm to start using a clean system, next certificate query worked fine

CONNECTED(00000003)

I think since i have ssl connection establish with the server, the certificate should be fine

 

[heshammhafez]

any help please

 

[Stratus_ss]

Haven't forgotten about you, I just didnt have time this weekend. There was an unexpected funeral on Friday which took me out of town for the weekend. I will check this out when I get the chance

 

[cowlesav]

First of all, thank you very much Stratus your posts have been quite helpful.

I am in the process of upgrading all of our infrastructure from EL5 to EL6, and have planned to do away with an old EL5.i386 ldap server for a while. I setup a new ldap server with a self signed cert and answering on port 636, all the SSL parts seem to work as planned.

Following the client instructions that you have posted got my client at least bound with my ldap server. I can run id, getent, even su into a user's home from root and see correct file permissions and such so that's all good. The main issue I am having is that I cannot login as any ldap user with a password. If I create or have in effect an ssh key, I have no problem logging in as a user, but otherwise a password is just not accepted.

We don't do ldap authentication, just authorization, relying on another kerberos system to do password verification, but for some reason that part just isn't working? I have seen posts all over the web about the Force Legacy options, or turning on ldap auth to see if it fools it in /etc/sysconfig/authconfig, but nothing I do seems to be effective. Any ideas would be most helpful.