Suse Ent Linux 10 authing (LDAP(TLS) ) against Win2K3 SP1 Active Dir

Hi fellow Nabblers

I am trying to get SLES to authenticate via secure LDAP against win2k3 sp1 active directory.

Configured it successfully with LDAP client on Linux and Microsoft Services for UNIX 3.5 on the Windows domain controller.  But when I try to add security to the LDAP connection in the form of STARTTLS i.e. encrypting the LDAP connection it won't work.  My steps are:-

I export the domain controllers certificate and convert it before putting it on the Linux host as per http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html

Setup the ldap.conf file as follows:-

# ldap.conf
# ===========
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

#host 172.31.5.155
uri ldaps://172.31.5.155/
base DC=cust,DC=co,DC=nz

# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3

bind_policy soft

binddn cn=administrator,cn=users,dc=cust,dc=co,dc=nz
bindpw saveme

#port 389
#port 636

# The search scope.
scope sub
#scope one
#scope base

# Search timelimit
timelimit 30

# Bind timelimit
bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_groupdn cn=unixusergroup,cn=users,dc=cust,dc=co,dc=nz
pam_member_attribute msSFU30PosixMember
pam_password ad

nss_map_objectclass posixAccount user
nss_map_objectclass posixGroup Group
nss_map_objectclass shadowAccount user

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

nss_base_passwd cn=Users,dc=cust,dc=co,dc=nz?sub
nss_base_shadow cn=Users,dc=cust,dc=co,dc=nz?sub
nss_base_group cn=Users,dc=cust,dc=co,dc=nz?sub

ssl start_tls
#ssl no
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
tls_cacertdir   /etc/certs
tls_cacertfile /etc/certs/testdc-155.pem
#tls_cacertfile /etc/certs/testdc-155.der

# SSL cipher suite
# See man ciphers for syntax
tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

=========================================================

 Testing / Troubleshooting
==================

I have tried various modifcations of the above ldap.conf file and the least error messages that I get in /var/log/messages are for the

configuration file above and the messages are as follows:-

Oct  4 09:08:43 sles10 dbus-daemon: nss_ldap: could not search LDAP server - Server is unavailable

An example of the traffic sniffed with ethereal is which all looks good until the Encrypted Alert which marks the end of a cycle of trying it all again still unsuccessfully:-

 No. Time        Source        Destination   Protocol Info
 115 62.229043   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=4294902516 TSER=0 WS=2
 116 62.229190   172.31.5.154  172.31.5.146  TCP   ldaps > 58081 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
 117 62.229583   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=4294902516 TSER=0
 118 62.297557   172.31.5.146  172.31.5.154  SSLv2 Client Hello
 119 62.297979   172.31.5.154  172.31.5.146  TLS   Server Hello, Certificate[Unreassembled Packet]
 120 62.298084   172.31.5.154  172.31.5.146  TLS   Continuation Data, [Unreassembled Packet]
 121 62.298677   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [ACK] Seq=221 Ack=1449 Win=8736 Len=0 TSV=4294902533 TSER=2999
 122 62.298681   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [ACK] Seq=221 Ack=2897 Win=11632 Len=0 TSV=4294902533 TSER=2999
 123 62.298766   172.31.5.154  172.31.5.146  TLS   Continuation Data, [Unreassembled Packet]
 124 62.298805   172.31.5.154  172.31.5.146  TLS   Continuation Data, [Unreassembled Packet]
 125 62.299166   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [ACK] Seq=221 Ack=4345 Win=14528 Len=0 TSV=4294902533 TSER=2999
 126 62.299169   172.31.5.146  172.31.5.154  TCP   58081 > ldaps [ACK] Seq=221 Ack=4743 Win=17424 Len=0 TSV=4294902533 TSER=2999
 127 62.302422   172.31.5.146  172.31.5.154  TLS   Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 128 62.306450   172.31.5.154  172.31.5.146  TLS   Change Cipher Spec, Encrypted Handshake Message
 129 62.307468   172.31.5.146  172.31.5.154  TLS   Encrypted Alert
 130 62.307754   172.31.5.154  172.31.5.146  TCP   ldaps > 58081 [FIN, ACK] Seq=4786 Ack=438 Win=63803 Len=0 TSV=3000 TSER=4294902535

 
I have tried changing the settings in ldap.conf.  The main areas that I modified (see below) were by either changing their values or commenting/uncommenting them:-

ldap_version 3
ssl on
tls_checkpeer yes
tls_ciphers TLSv1

Thanks in anticipation

Tim,

LDAP begins conversation on port 389. When you issue STARTTLS
command, it encodes its packets and continues using port 389.
So, your URI setting must look as follows:

uri ldap://172.31.5.155/

Windows does not support STARTTLS you need to use ldaps on port 639. You should not use IP addresses but refer to the domain name in the URI.

Do you have this working with an ordinary ldap connection first - i.e. have you got shared credentials set up, or are you successfully using SASL. If so then switching to ldaps is just a case of swapping the URI. The best way to approach this is to get ldapsearch to work with ldaps first. Alter your /etc/openldap/ldap.conf to contain the following:

URI ldaps://ad.domain.name
BASE dc=ad,dc=domain,dc=name
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

Once you can successfully search using this as your basis setup, then try the

ldaps://ad.domain.name

in your /etc/ldap.conf.

Melnikov Denis wrote:

I am trying to get SLES to authenticate via secure LDAP 
against win2k3 sp1
active directory.

Configured it successfully with LDAP client on Linux and 
Microsoft Services
for UNIX 3.5 on the Windows domain controller.  But when I try to add
security to the LDAP connection in the form of STARTTLS i.e. 
encrypting the
LDAP connection it won't work.  My steps are:-

I export the domain controllers certificate and convert it 
before putting it
on the Linux host as per
http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html

Setup the ldap.conf file as follows:-

# ldap.conf
# ===========
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#

#host	172.31.5.155
uri ldaps://172.31.5.155/
    

Tim,

LDAP begins conversation on port 389. When you issue STARTTLS
command, it encodes its packets and continues using port 389.
So, your URI setting must look as follows:

uri ldap://172.31.5.155/
  

Here are some other places where I have discussed this topic:

http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
http://www.winlinanswers.com/community/viewtopic.php?t=37
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

I am still experimenting after your feedback but believe that I have SLES 9  now working but the same config files wouldn't work on SLES 10.  I will review it and let you know the results as soon as i can get back to it.

Find the whole starttls verus ldaps very confusing.

Scott Ruckh wrote:

> Melnikov Denis wrote:
>>> I am trying to get SLES to authenticate via secure LDAP
>>> against win2k3 sp1
>>> active directory.
>>>
>>> Configured it successfully with LDAP client on Linux and
>>> Microsoft Services
>>> for UNIX 3.5 on the Windows domain controller.  But when I try to add
>>> security to the LDAP connection in the form of STARTTLS i.e.
>>> encrypting the
>>> LDAP connection it won't work.  My steps are:-
>>>
>>> I export the domain controllers certificate and convert it
>>> before putting it
>>> on the Linux host as per
>>> http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html
>>>
>>> Setup the ldap.conf file as follows:-
>>>
>>> # ldap.conf
>>> # ===========
>>> #
>>> # This is the configuration file for the LDAP nameservice
>>> # switch library, the LDAP PAM module and the shadow package.
>>> #
>>>
>>> #host 172.31.5.155
>>> uri ldaps://172.31.5.155/
>>>

Here are some other places where I have discussed this topic:

http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
http://www.winlinanswers.com/community/viewtopic.php?t=37
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

My final config files which for Suse Enterpirse Linux 9 against win2k3 sp1 AD are:-

#/etc/ldap.conf

uri ldaps://testdc1-154.int.co.nz
base    DC=int,DC=co,DC=nz
scope sub
timelimit 5

binddn cn=administrator,cn=users,dc=int,dc=co,dc=nz
bindpw saveme

bind_policy soft

#tls_checkpeer yes
#ssl start_tls
ssl on

nss_reconnect_tries 2
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 2

pam_filter objectclass=user
pam_login_attribute sAMAccountName
pam_groupdn cn=unixusergroup,cn=users,dc=int,dc=co,dc=nz
pam_member_attribute msSFU30PosixMember
pam_password ad

nss_map_objectclass posixAccount user
nss_map_objectclass posixGroup Group
nss_map_objectclass shadowAccount user

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn

nss_base_passwd cn=Users,dc=int,dc=co,dc=nz?sub
nss_base_shadow cn=Users,dc=int,dc=co,dc=nz?sub
nss_base_group cn=Users,dc=int,dc=co,dc=nz?sub

#==============================================

#/etc/openldap/ldap.conf

base DC=int,DC=co,DC=nz
host testdc1-154.int.co.nz

TLS_REQCERT demand
TLS_CACERT /etc/certs/testdc1-154.int.co.nz.pem

#==============================================

Haven't managed to get the same scenario working with SLES 10 instead of 9.



I am still experimenting after your feedback but believe that I have SLES 9  now working but the same config files wouldn't work on SLES 10.  I will review it and let you know the results as soon as i can get back to it.

Find the whole starttls verus ldaps very confusing.

Scott Ruckh wrote:

> Melnikov Denis wrote:
>>> I am trying to get SLES to authenticate via secure LDAP
>>> against win2k3 sp1
>>> active directory.
>>>
>>> Configured it successfully with LDAP client on Linux and
>>> Microsoft Services
>>> for UNIX 3.5 on the Windows domain controller.  But when I try to add
>>> security to the LDAP connection in the form of STARTTLS i.e.
>>> encrypting the
>>> LDAP connection it won't work.  My steps are:-
>>>
>>> I export the domain controllers certificate and convert it
>>> before putting it
>>> on the Linux host as per
>>> http://www.muquit.com/muquit/software/mod_auth_ldap/ssl_tls.html
>>>
>>> Setup the ldap.conf file as follows:-
>>>
>>> # ldap.conf
>>> # ===========
>>> #
>>> # This is the configuration file for the LDAP nameservice
>>> # switch library, the LDAP PAM module and the shadow package.
>>> #
>>>
>>> #host 172.31.5.155
>>> uri ldaps://172.31.5.155/
>>>

Here are some other places where I have discussed this topic:

http://www.linuxquestions.org/questions/showthread.php?t=371848&page=2
http://www.winlinanswers.com/community/viewtopic.php?t=37
http://blog.scottlowe.org/2006/04/27/linux-ad-integration-with-windows-server-2003-r2/
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/