[phpwiki]
weblogin.ac.uab.edu is now using ldaps to access the LDAP service for authentication. Serveral problems existed which had prevented this from working. The default libldap2 binary on debian woody 2.4 is not built with tls enabled. This was the main problem. The fix was to rebuild the openssl source package on the debian build box:

apt-get source libldap2
cd openldap-2.0.23
dpkg-buildpackage -uc -b

and then install resluting libldap2.deb file on weblogin

dpkg -i libldap2-2.0.23.deb

The next step is to tell libldap where to find the trust definition for the UAB ldap SSL interface. This requires the Equifax root. Put that in /usr/lib/ssl/cert/ca-bundle.crt. The location is defined in /etc/ldap/ldap.conf with the values TLS_CACERT (for the bundle file) and TLS_CACERT_DIR (for the hash based files). While I prefer the later only the TLS_CACERT file option seemed to work.

About this document

Original author: Jason Nance <jbnance>
Research by: John-Paul Robinson <jpr>

This doc is an overview of the configuration of pam_ldap for user authentication using UAB's ldap server for password validation and your own ldap server for account enumeration.

NOTE :: This doc does NOT detail the setup of your ldap server, but does assume you have a working configuration and a knowledge of how to add/modify entries.

The plugins discussed in a [post on ldap-devel|http://metric.it.uab.edu/pipermail/ldap-devel/2003-December/002030.html] are specific to Sun's iPlanet LDAP server. There are two plugins:

* The [Georgetown code|http://www.georgetown.edu/giia/internet2] was written in part by Michael Gettes and seems to be an early exploration of kerb/ssl hooks.
* The [Duke code|http://www.oit.duke.edu/~rob/krbdirp/] appears to be a more mature implementation ready for production that supports separation of kerb/ssl/pam hooks.

We are interested in preventing access to port 389 for authenticated binds, to reduce the security risk of passing clear-text passwords over unencrypted channels.