Security
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP auth not working at all with SSL

SOLVED
Go to solution
Ken Kleiner
Advisor

LDAP auth not working at all with SSL

We are running Tru64 5.1B with v6.5 of Internet Express Ldap Module for System Auth. Our ldap server is openldap on linux.
Authenticating to it from linux clients with tls works fine.

I discovered that doing so with tru64 is not possible with tls, so I've configured SSL and ldap_enable, ldap_check show positive results with ssl connectivity. ldap_get_user also shows all of the entries from our ldap server. These things also run fine when I point ldapcd.conf to port 389 (non ssl).

In my ldapcd.conf file I put:
port: 636
usessl: 1
as I've seen on these forums.

When I'm using non ssl, things like id/finger properly show the ldap entry for a particular user. When doing the same with ssl, I get 'user not found i /etc/passwd, etc'. Again, ldap_get_user and ldap_get_group DOES work with ssl.

I've run tcpdump on the ldap server to view data coming from the tru64 box and I don't see ANY traffic coming from
the tru64 box when I run id/finger/su. I do see the traffic obviously when I do ldap_get_user with ssl - as that does work. I also do see tcpdump traffic when doing id/su/finger with non ssl connections.

I am running enhanced security on this system and it is a NIS client. Can those be causing this?

Here is what ends up in my /etc/sia/matrix.conf when I ldap_enable:

# sia matrix configuration file (BSD only)

siad_setpwent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_endpwent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getpwent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getpwnam=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getpwuid=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_chg_finger=(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_password=(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_shell=(OSFC2,/usr/shlib/libsecurity.so)
siad_chk_user=(OSFC2,/usr/shlib/libsecurity.so)
siad_setgrent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_endgrent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getgrent=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getgrnam=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_getgrgid=(BSD,libc.so) (LDAP,/usr/shlib/libsialdap.so)
siad_ses_init=(OSFC2,/usr/shlib/libsecurity.so)
siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_authent=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_suauthent=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_reauthent=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_estab=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_launch=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_release=(OSFC2,/usr/shlib/libsecurity.so)
siad_init=(OSFC2,/usr/shlib/libsecurity.so) (LDAP,/usr/shlib/libsialdap.so)

Any help or advice would be appreciated - thanks!!!!!


~
4 REPLIES
Ann Majeske
Honored Contributor

Re: LDAP auth not working at all with SSL

I haven't done this myself, so I'm going off of what other people have told me:)

In the Internet Express documentation for ldap, it shows that another step is needed to get ldap to work with Enhanced Security theres a section that talks about an additional step needed to get ldap to work with Enhanced Security: http://h30097.www3.hp.com/docs/iass/OSIS_66/admin/ch04.html#v955251

Adding an LDAP User in a C2 Environment

There is an additional step required when you have C2 security enabled. For each system into which you wish the user to be able to login, you must add an edauth entry. The entry should be of the form:

echo ":u_name=:u_id#:u_oldcrypt#3:u_lock@:chkent:"\
| /usr/tcb/bin/eduath -s



Personally I don't think that you get much out of the combination of ldap and Enhanced Security since the passwords are stored in ldap instead of the Enhanced Security database, so why bother having Enhanced Security enabled??

I'm also not sure about your matrix.conf file. It doesn't look right to me. I didn't think you could mix and match mechanisms like that, but that both (or all 3, including BSD) mechanisms should be listed for all functions, in the order you want them queried in (e.g. BSD first, then LDAP, and then C2). But maybe there's something special about the ldap mechanism that doesn't require that.

Ann

Ken Kleiner
Advisor

Re: LDAP auth not working at all with SSL

Hi Ann,

Thanks for the reply. Trying to do the edauth with a user that is in the ldap server yields:

Failed to parse input entry beginning with "testuser:u_uname=testuser"

I used this command :
echo "testuser:u_uname=testuser:u_id#55945:u_oldcrypt#3:u_lock@:chkent:"|/usr/tcb/bin/edauth -s

Manual pages say the user has to be in /etc/passwd first, but that is what ldap is supposed to replace.

Using enhanced security even with ldap gives the extra security of your root and other local accounts passwords not being visible in world readable /etc/passwd file.

Any further advice? Thanks.

Ann Majeske
Honored Contributor
Solution

Re: LDAP auth not working at all with SSL

Ken,

The error you're getting from edauth is because you didn't enter the data correctly. It's u_name, not u_uname.

Ann
Ken Kleiner
Advisor

Re: LDAP auth not working at all with SSL

Doh!!!

Yup, that works - it's amazing how long I can look at something and still not see the error - other eyes really help.

I think in the meantime we've decided to scrap this idea, as we also are now having a problem with password schemes. We use SSHA on the ldap server for password encryption, but Tru64 needs to see crypt().

I also don't like the idea of having to make a edauth entry for each user that wants to connect, and I don't want to stop using enhanced security.

We still also cannot get this to work with LDAP SSL - so that's also a showstopper.

Thanks for the help anyways!