# SSH server w/ ldap can't check key over ldaps [solved]

## RoundsToZero

I'm using LDAP to store public keys for SSH authentication (aka "LPK" or the ldap use flag for openssh).  Everything works as long as I use unsecure ldap as opposed to ldaps.  When I use ldaps I get this error:

```

ldap_connect: (TLS) ldap_start_tls(): Can't contact LDAP server (-1)

ldap_simple_bind_s(): Can't contact LDAP server (-1)

[LDAP] could not initialize ldap connection

```

I am pretty sure (from seeing the same thing when trying to configure mod_auth_ldap for Apache with ldaps) that the problem is that the SSH server (like the Apache server before) isn't trusting the LDAP server's certificate.  In Apache there is an option where you give it the path to the CA certificate that signed the LDAP server's certificate.  Then Apache started trusting the LDAP server and my problem was resolved.  With the SSH server, there doesn't seem to be such an option to tell it to trust the LDAP server.

This is my LPK section in sshd_config:

```

UseLPK yes

#LpkLdapConf /etc/ldap.conf

LpkServers  ldaps://amsa.info

LpkUserDN   ou=People,dc=amsa,dc=info

LpkGroupDN  ou=Group,dc=amsa,dc=info

#LpkBindDN cn=Manager,dc=phear,dc=org

#LpkBindPw secret

#LpkServerGroup mail

#LpkForceTLS no

#LpkSearchTimelimit 3

#LpkBindTimelimit 3

```

Like I said, it works if I change ldaps:// to ldap://, but I need to be able to use ldaps.Last edited by RoundsToZero on Sun Jul 09, 2006 6:28 pm; edited 1 time in total

----------

## Philantrop

Are you using OpenLDAP 2.1 or 2.2 and self-signed certificates?

In that case, you'll need to put "TLS_REQCERT never" (man ldap.conf) into ldap.conf:

 *man ldap.conf wrote:*   

>        TLS_REQCERT <level>
> 
>               Specifies what checks to perform on server certificates  in  a  TLS  session,  if  any.  The
> 
>               <level> can be specified as one of the following keywords:
> ...

 

----------

## RoundsToZero

I am using OpenLDAP 2.3 since it's stable now.  Unfortunately, I want certificate checking, because otherwise how does the SSH server know that it's talking to the real LDAP server?

----------

## weyhan

RoundsToZero,

AFAIK, all you need to do is use the FQDN of your server for this entry when you are creating and signing your cert.

```
...

Common Name (eg, YOUR name) []:

...
```

It must be your full domain name of your ldap server or it will not work.

HTH

----------

## RoundsToZero

I was already doing that, but it didn't work.

It turns out that OpenSSH won't use SSL for LDAP, only TLS.  Therefore it always connects with ldap:// as opposed to ldaps:// and uses port 389 instead of 636.  It will always ask to upgrade to a secured connection with TLS, which I already had enabled on my LDAP server.  When you connect directly with ldaps:// on 636, the LDAP server doesn't do any TLS, so when OpenSSH asks to upgrade to a secured connection, it won't work.

Changed to solved.

----------

## weyhan

Ah... Now I know what you mean. The setting I have on my server is just to use PAM for the authentication. However, PAM is configured to use TLS and does certificate checking.

I'm wondering if that is an option to you. If not, why not?

I'm just curious.

----------

## RoundsToZero

I'm using public keys, not passwords.

----------

## weyhan

Oops! My bad. Now I really get what you mean.   :Embarassed: 

I was stuck with the idea that public key MUST be stored in ~/.ssh/ and did not realized that you are talking about storing the public key in the LDAP directory.

Thanks. Now I know better.   :Very Happy: 

----------

