Description of problem: I'm trying again to configure ldap authentification on Mageia I have an ldap server with a self signed certificate. So in drakauth, I click on use encrypt connection with tls and I give the file containing certificate of ldap server. But authentification doesn't works. It seems drakauth now use nslcd. But in nslcd.conf, base field is not filled. And certificate file is not configured (I think it is the field tls_cacertfile) Reproducible: Steps to Reproduce:
Assignee: bugsquad => thierry.vignaud
Indeed, it doesn't modify /etc/nslcd.conf at all.
CC: (none) => luigiwalser
It also needs to enable and start the nslcd service, and restart or stop and disable the nscd service (depending on whether they can work together or not).
In this file on your system: /usr/lib/libDrakX/authentication.pm Also in SVN here: http://svnweb.mageia.org/soft/drakx/trunk/perl-install/authentication.pm?revision=7897&view=markup the funtions read_ldap_conf() and update_ldap_conf() need to use /etc/nslcd.conf instead of /etc/ldap.conf. In configure_nss_ldap(). instead of using host, I think it should use uri, so it'd be like uri => "ldaps://" . $authentication->{LDAP_server} . "/" For the nss_base_* things, the code would probably have to be changed, because the config parameter is just "base" for all three of those. The conf lines look like this: base group cn=Users,dc=domain,dc=com base passwd cn=Users,dc=domain,dc=com base shadow cn=Users,dc=domain,dc=com The ?sub at the end doesn't need to be there. You could just add a scope => sub to make that the default (it actually is the default). Also, the tls_checkpeer => "yes" should be changed to tls_reqcert => "demand". I could write the patch for that, except for I don't know how to handle the changes needed for the "base" lines.
CC: (none) => derekjenn
Blocks: (none) => 7667
David Would you like to try this out? http://gitweb.mageia.org/software/drakx/diff/perl-install/authentication.pm?id=72ea5fb83d926327079b5632a9e81a029ec965d9 For Bug 7667 it is not immediately clear to me what needs doing. If you can give me a pointer it would be useful.
(In reply to Derek Jennings from comment #4) > David > > Would you like to try this out? > > http://gitweb.mageia.org/software/drakx/diff/perl-install/authentication. > pm?id=72ea5fb83d926327079b5632a9e81a029ec965d9 I won't be able to verify it until I get back to work, but it looks perfect, save for maybe you'd want to add a scope => sub too (although it is the default). Seeing as it's currently completely broken, it won't hurt to go ahead and get that committed and pushed now. Thanks! > For Bug 7667 it is not immediately clear to me what needs doing. If you > can give me a pointer it would be useful. Indeed. Hopefully we can get more feedback from Zombie.
>maybe you'd want to add a scope => sub too (although it is the default). Done Fixed in git. I'll not push a package just now. There are bound to be more updates to drakxtools coming along.
Status: NEW => ASSIGNEDAssignee: thierry.vignaud => derekjenn
CC: (none) => thierry.vignaud
BTW I think in the future we should switch to use sssd for LDAP. It's much simpler, one single config for both PAM & NSS.
Interesting. Using Active Directory at work, I couldn't get sssd working, but I did get nss-pam-ldapd. nss-pam-ldapd seems a lot simpler and more obvious to me as far as configuring by hand. Assuming it works correctly, I don't know that it makes much difference which one the tool uses. I suppose it could offer a choice too (maybe as an advanced option).
It was very simple to configure on RHEL6 to bind on a AD. Some advanced stuff isn't documented at all. IUcan mail you doc if you want to.
Sure, I can experiment with it some more when I get back to work.
Derek, I think the conclusions reached from Bug 7667 so far are that the tls_reqcert should be "allow" by default, instead of "demand", as demand requires adding a certificate in /etc/pki/tls/certs so that it can verify the server cert. Actually adding the ability to add the cert through the tool such that you can use demand would be an optional extra feature, as would configuring the sudo thing Zombie discussed there, but neither is strictly necessary. Also, another thing I just thought of, you might want to do: if ($authentication->{cafile} eq '1') { update_ldap_conf( uri => "ldaps://" . $authentication->{LDAP_server} . "/", ); } else { update_ldap_conf( uri => "ldap://" . $authentication->{LDAP_server} . "/", ); } So that it doesn't try to use SSL when you haven't asked it to, as that might not work.
Derek, I think Colin pushed an update containing your previous commit, so the changes suggested in Comment 11 still should be made. Once that's done I think this can be marked as fixed.
Committed to git http://gitweb.mageia.org/software/drakx/plain/perl-install/authentication.pm I'll not push a package yet. There are bound to be other updates to drakxtools shortly.
Thanks Derek. As this issue also affects Mageia 3, at some point you might want to backport these fixes there.
Should be fixed now.
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED