Prashanth Sundaram wrote:
Rich,
Andrey’s suggestion worked. Yes, I have enabled SSL in the Admin
server and Directory Server. But it still would fall back on 389-ds
password, when “pamsecure=TRUE’. If I set pamsecure=FALSE, the
authentication passed through to the AD as intended.
How do I secure the communication between 389-ds and LDAP server?
I'm not sure
what you mean - 389-ds is the LDAP server?
I used wireshark to capture packets, and it’s all clear.
man
pam_ldap - you'll have to configure /etc/ldap.conf to use TLS and
provide a CA cert.
To revisit, here's the observation: pamsecure when set to TRUE
authenticates
users only to the password in 389-ds, but when set to FALSE will
authenticate to the AD password only if the uid exists in /etc/passwd.
That's really bizarre - the only place where pamSecure is used is here:
if (cfg->pamptconfig_secure) { /* is a secure connection required? */
int is_ssl = 0;
slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl);
if (!is_ssl) {
slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<=
connection not secure (secure connection required; check config)");
return retcode;
}
}
That is, if pamSecure is true, requests will be rejected unless using
TLS/SSL. Do you have your directory server configured to use TLS/SSL
when using pamSecure: TRUE?
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users