LDAP on FC3 - buggy or is it me?!

Mark msalists at gmx.net
Thu Jun 30 21:06:59 UTC 2005 

Hi everybody,

I have been fighting with FC3 for a while now, trying to get authentication to work via LDAP.
The configuration that worked under FC1 (using TLS) did not work under FC3, apparently because FC1 would do TLS without verifying
the server certificate, whereas FC3 had this security whole closed. So I got to a point where my certificates where fine and FC3
would do LDAP via TLS for everything (finger, getent, ldapsearch, etc), except for the logon password authentication.

Finally, I found the solution by accident, and it has to do with using the "host" vs "URI" directive:
The only way I can login to the system is with /etc/ldap.conf using "host":

base dc=mydomain,dc=com
host ldap1.hq.mydomain.com:636
pam_password md5
ssl yes
TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem


"ldapsearch -x", however, only works with the "URI" directive in /etc/openldap/ldap.conf:

base dc=mydomain,dc=com
URI ldaps://ldap1.hq.mydomain.com
pam_password md5
ssl yes
TLS_CACERT /etc/mydomain/ppkeys/public_keys/self-ca.mydomain.com.crt.pem

Does anybody know what is going on with this? Is this just a bug in openLDAP? 
What is really the difference between these two ways?

I saw a post somewhere saying that the openLDAP version shipped with FC3 is rather buggy and unstable. Unfortunately, there is no
update available. I tried installing the FC4 openLDAP RPMs, but had too many problems with missing libcrypto and other libraries,
and I dont want to mess up the rest of the system by trying to patch in FC4 RPMs...

BTW, in case this gives any more clues: the only way I got phpLDAPAdmin (0.9.6c) to work is this:
$servers[$i]['name'] = 'ldap1.hq';
$servers[$i]['host'] = 'ldaps://ldap1.hq.mydomain.com'; 
$servers[$i]['base'] = 'dc=mydomain,dc=com'; 
$servers[$i]['port'] = 636; 
$servers[$i]['auth_type'] = 'session';
$servers[$i]['login_dn'] = 'cn=Administrator,dc=mydomain,dc=com';
$servers[$i]['login_pass'] = 'secret';
$servers[$i]['tls'] = false;          
$servers[$i]['low_bandwidth'] = false;
$servers[$i]['default_hash'] = 'ssha';
$servers[$i]['login_attr'] = 'dn';    
$servers[$i]['login_string'] = 'uid=<username>,ou=People,dc=example,dc=com';
$servers[$i]['login_class'] = '';     
$servers[$i]['read_only'] = false;    
$servers[$i]['show_create'] = true;   
$servers[$i]['disable_anon_bind'] = false;
$servers[$i]['custom_pages_prefix'] = 'custom_';
$servers[$i]['unique_attrs_dn'] = '';
$servers[$i]['unique_attrs_dn_pass'] = '';


Thanks,

MARK

More information about the users mailing list