Friday, June 14, 2013

CentOS : 3rd party certs for LDAP auth (sshd and Samba)

Well, that was frustrating.  I had an LDAP server using a self-signed certificate.  I opted to replace it with a third-party signed certificate, and everything broke.  Just a note, a self-signed certificate is just as effective, and it's as easy to use as the others.  You still have to import CA's for third-party-signed certificates, so if you can protect your trust in your LDAP infrastructure, go with the self-signed.  For example, in /var/log/messages, I was getting :

    Jun 14 08:41:09 linuxbox sssd[be[default]]: Could not start TLS encryption. TLS error -8179:Peer's Certificate issuer is not recognized.
SSH

Anyway, once the dirty deed of going with a third-party starts, and you have LDAP authentication on your Linux box, you will need to update your authentication configs :

    authconfig --enableldap --enableldapauth --ldapserver='ldaps://example.com/' --ldapbasedn='ou=people,dc=example,dc=com' --enablemkhomedir --enableshadow --enablelocauthorize --passalgo=sha512 --update
Just a quick documentation step I completely lost the last time, and this does pretty well to update and get you back on your feet.  NOTE: if the hostname in the --ldapserver option doesn't match the SSL certificate, the server won't recognize anything, and pretty much disables the LDAP connectivity for sssd (the System Security Services Daemon).

Samba

This one was a pain because everything I kept trying was failing.  Samba simply kept saying :
    Jun 14 09:05:24 linuxbox smbd[23739]: [2013/06/14 09:05:24.723509,  0] lib/smbldap.c:1151(smbldap_connect_system)
    Jun 14 09:05:24 linuxbox smbd[23739]:   failed to bind to server ldaps://hostname.example.com/ with dn="cn=binduser,dc=example,dc=com" Error: Can't contact LDAP server
    Jun 14 09:05:24 linuxbox smbd[23739]:   #011TLS error -8179:Peer's Certificate issuer is not recognized.
What I found (strace is awesome).... you need to use the right CA here.  I kept trying the global CA from the provider.  This won't work if they use an intermediate.  If you have configured apache to use that SSL certificate, then simply find the directive :

    SSLCertificateChainFile /path/to/intermediate/certificate

Then, copy the filename that it specifies to the TLS_CACERT in your /etc/ldap.conf file, and restart.  The problem should be fixed now.

No comments:

Post a Comment