I believe it could prove very useful for replication, where, with simple bind, bind_dn and bind_pw were to be written in cleartext in slapd.conf.
This mechanism is also very handy because it requires encryption to work, and a clear text connection can't work.
Steps are:
- apt-get install libsasl2-modules-ldap on the server;
- modify slapd.conf to use TLS and to try verify peer;
- modify user .ldaprc to include user certificate.
slapd.conf should include:
TLSCACertificateFile /etc/ssl/certs/ca-cert.pem
TLSCertificateFile /etc/ssl/certs/server.pem
TLSCertificateKeyFile /etc/ssl/private/server.key
TLSVerifyClient try
where server.pem and server.key and server certificate and unprotected key, while ca-cert.pem is the certificate file of the CA under which is issued the client user certificate.
.ldaprc:
TLS_CACERT /etc/ssl/certs/server-ca-chain.pem
TLS_CACERTDIR /etc/ssl/certs
TLS_CERT /home/user/client.pem
TLS_KEY /home/user/client.key
SASL_MECH EXTERNAL
where client.key can be protected or unprotected key and server-ca-chain is cert file of the CA which issued the server cert.
An error like this one:
ldapsearch -x -ZZ -h server.test.com 'uid=user'
ldap_start_tls: Connect error (-11)
additional info: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
means the client is using a certificate with a different CA from TLSCACertificateFile.
If everything is in order:
ldapsearch -x -ZZ -H ldap://server.test.com -b "" -LLL -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: EXTERNAL
And it possible to launch:
ldapsearch -ZZ -h server.test.com 'uid=user'
to read in /var/log/ldap.log:
Jan 14 12:08:12 server slapd[15308]: conn=38 op=1 BIND authcid="cn=bacedifo,dc=test,dc=com" authzid="cn=bacedifo,dc=test,dc=com"
Jan 14 12:08:12 server slapd[15308]: conn=38 op=1 BIND dn="cn=bacedifo,dc=test,dc=com" mech=EXTERNAL ssf=0
No comments:
Post a Comment