topic Re: LDAP-UX Client Configuration in Operating System - HP-UX

LDAP-UX Client Configuration

Joshua M. Miller — Thu, 26 Apr 2007 17:27:42 GMT

Hello!

I am attempting to configure the LDAP-UX client on an 11iv1 host with LDAP-UX 4.10 and using an existing OpenLDAP 2.3.34 LDAP server. I am having trouble getting TLS/SSL working. The client works great without SSL/TLS.

Here's the low down:

* I run through the setup utility and everything goes well, I get the same results if I select TLS or SSL and the respective settings that apply -- I can watch the logs on my LDAP server and see that the appropriate HPUX profile is downloaded successfully each time.

* If I run /opt/ldapux/config/get_profile_entry -s nss, it also downloads the profile successfully using SSL/TLS.

This makes it appear as if everything is going to work...even the command line ldapsearch works great. Once I exit the setup utility, SSL/TLS connections will not work. Any attempt to login via console or ssh fails and user/group enumeration via pwget grget fails also. The logs on the LDAP server indicate a TLS Negotiation failure, but I can connect using the ldapsearch utility specifying -Z for SSL...

Any ideas why there would be this disconnect and the LDAP-UX setup utility and ldapsearch can successfully negotiate an SSL/TLS connection while user/group operations cannot?

TIA,

Re: LDAP-UX Client Configuration

Joshua M. Miller — Thu, 26 Apr 2007 17:28:45 GMT

Just to clarify one more thing, my nsswitch.conf and pam.conf are setup properly -- user/group operations succeed when not using TLS/SSL.

Thanks!

Re: LDAP-UX Client Configuration

Steven E. Protter — Thu, 26 Apr 2007 17:59:11 GMT

Shalom,

Has a ssl certificate been generated or installed on the server side. If so, is the server configured correctly?

This may be an LDAP certificate issues.

SEP

Re: LDAP-UX Client Configuration

Sameer_Nirmal — Thu, 26 Apr 2007 18:13:14 GMT

Have you set the paramter enable_starttls = 1 in /etc/opt/ldapux/ldapux_client.conf ?

Re: LDAP-UX Client Configuration

Joshua M. Miller — Thu, 26 Apr 2007 18:28:34 GMT

Hi Steven,

The LDAP server has the proper SSL certs and is serving over 100 Linux hosts via SSL so I don't think it's a server configuration issue, although I'm open to anything at this point.

I wonder if the client is too strict in checking the server cert at this point and I'm trying to verify that I have the proper names and IP mappings in DNS.

And Sameer,

I have tried using TLS with 'enable_starttls 1' in the ldapux_client.conf and that has not worked for me either.

Re: LDAP-UX Client Configuration

Joshua M. Miller — Mon, 30 Apr 2007 11:46:04 GMT

The problem here was with my profile in the LDAP directory -- I did not add an attribute for 'authenticationMethod' and when the ldapux client was restarted it would download the profile and this setting would be set to 'simple'. The proper setting for my TLS environment is 'tls:simple'. Once I updated my profile to reflect this change, everything is working great!

Sanitized working profile (currently in my production directory):

dn: cn=uxprofile,ou=Profiles,dc=example,dc=com
cn: uxprofile
objectClass: DUAConfigProfile
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
profileTTL: 3600
credentialLevel::
serviceSearchDescriptor: passwd:OU=People,DC=example,DC=com
serviceSearchDescriptor: group:OU=Group,DC=example,DC=com
authenticationMethod: tls:simple
defaultServerList: example.com:389 example.com:389