Login issues with LDAP and yubikey
search cancel

Login issues with LDAP and yubikey

book

Article ID: 263943

calendar_today

Updated On:

Products

Security Analytics Security Analytics - VA

Issue/Introduction

The users cannot login using LDAP.  Some sites require additional ciphers added to the ldap list of possibilities.

Environment

Release : 8.2.6-55530

Cause

Some customers using openldap may have additional cipher requirements for ldap authentication.  These are site specific but adding them will not affect functionality, even if they are not needed.

 

 

Resolution

Ciphers may need to be added to /etc/ldap.conf. Comment out the existing tls_ciphers line and add:

tls_ciphers AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256

While you are editing /etc/ldap.conf, be sure the following two lines are included.  Add them if needed.

nss_connect_policy oneshot
idle_timelimit 5

The /usr/sbin/dsldapad script should also be updated.  Comment out the existing tls_ciphers line and add:

tls_ciphers' : 'AES256-GCM-SHA384 :ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@STRENGTH',

Add the following line to /etc/nscd.conf, if it is not there already:

reload-count 0

This should better tune the ldap authentication negotiation process.

Powered by Wolken Software