LDAP Signing in AD Integration Situations

Reader Jeffrey Spear contacted me a while back with some problems he was experiencing in trying to integrate some Linux systems into Active Directory. Basically, Kerberos was working but LDAP wasn’t. He was able to use “kinit <AD username>” to generate a Kerberos ticket, but using the “getent passwd <AD username>” was not working. No error messages, nothing; it just didn’t work.

We traded e-mails back and forth for a while, and eventually he found the solution himself:

We work with a locked down version of OSs and in this case a domain policy on the Windows server was preventing the RHEL machines from accessing account info.  The policy was “Domain controller: LDAP server signing requirements” which was set to “Require signature.”  When I changed this setting to “None” it worked great.

This is good information and important to keep in mind; I’ll be sure to incorporate this into the next revision of the Linux-AD integration instructions. (No, I don’t have a timeframe on when that will be!)

In the meantime, if anyone has a workaround for this problem that will allow LDAP to work with signatures enabled or required, I’d love to hear it. Speak up in the comments below!

Tags: , , , , ,

  1. slowe’s avatar

    Ron,

    Sort of. That page does clearly state that requiring LDAP signing will break LDAP simple bind, which is what nss_ldap does from the UNIX/Linux side. So that page reinforces the behavior that Jeffrey was seeing–with LDAP signing turned on, the UNIX/Linux clients can’t bind to LDAP and they don’t work.

  2. Dan Jaap’s avatar

    Hi Scott,
    I really appreciate your blog….there is a lot of great info on it.

    I’m trying to implement AD authentication (Windows 2003 R2) with my RHEL 5.2 test box. I’m having this exact same issue….Kerberos works fine, but LDAP will not. I have verified (with group policy results wizard) that the Domain Controller: LDAP server signing requirement is set to “NONE”.

    Any suggestions?

  3. Dan Jaap’s avatar

    Hi Scott,
    …more on my post from above. I tried everything that i could think of and decided that there were too many variables to even begin. so i isolated my issue to the linux side. I installed a new linux server with RHEL 4.4 (just in case RHEL 5 was the problem). I followed your steps exactly. I have the same behavior on my RHEL4 box as my RHEL 5 box…..kerberos works fine, but LDAP does not….the command ‘getent passwd ldapBind’ returns nothing and there is nothing in /var/log/messages either. So i ruled this out as a problem with the OS and decided to try to isolate the windows side. I installed and configured a new domain controller…..with all defaults. Then i reconfigured everything on the linux servers to point to the new domain……same results. i am totally at a loss. What’s even more frustrating for me is that i have had this configuration working about a year ago in a test environment….i had to wipe out the test environment because my priorities were shifted to a different project….and of course i didn’t document any of my steps. anyway, i could really use some suggestions…..
    do you think that this is an LDAP issue or do you think it is an Active Directory issue?
    DNS?

  4. steve’s avatar

    Scott,

    If AD is configured to use LDAP signing, you will need to configure Linux to do the LDAP bind over TLS. This means that you will need to setup the AD Domain Controller as a CA (or purchase server certs from Verisign), create a server certificate, export the certificate in p7b format, transfer the cert to the linux server directory /etc/ssl/certs, ensure the cert is world readable, modify /etc/ldap.conf to use TLS.

    /etc/ldap.conf mods:
    URI ldaps://ad-server-1 ldaps://ad-server-2
    tls_cacertdir /etc/ssl/certs
    tls_cacertfile /etc/ssl/certs/
    tls_reqcert never

    Note1: Use the openssl client to validate the certificate
    openssl s_client -connect :636 -CAfile /etc/ssl/certs/

    Note2: Use ldapsearch to validate the bind over TLS
    Modify /etc/openldap/ldap.conf
    TLS_CACERTDIR /etc/ssl/certs
    TLS_CACERT /etc/ssl/certs/
    TLS_REQCERT never

    Validate ldapsearch over TLS
    /usr/bin/ldapsearch -H ldaps:// -x -D $BINDDN -w $BINDPWD -b $BASE -s sub cn=*