The point is that the certificate key should *never* be world readable
for security reasons. Otherwise you might as well not use encryption at
all as any user on your system can access it. That's the whole reason
for the nscl/nslcd concept. Better use the solution I posted above.
Some
Sorry for the confusion. We need to distinguish three files:
- the CA certificate (world-readable) is used to verify the identity of the
server to the client
- the client certificate (world-readable) is used to verify the identity of
the client to the server
- the private key
SOLVED in Ubuntu Lucid: use 'libnss-ldapd' and 'libpam-ldapd' (note the
'd' at the end of the packages) together with with the 'nslcd' package
(note the 'l' in the middle)
This allows to set the user and group with which the 'nslcd' daemon runs
in '/etc/nslcd.conf'. I set the group from 'nslcd'
The problem with the two password requests can be solved by adding
'use_first_pass' to the line with pam_unix.so, such that it looks like
authsufficient pam_ldap.so
authrequiredpam_unix.so nullok_secure use_first_pass
However, this does not solve the problem when the
The problem can also be due to encrypted connections to the LDAP server
since the private key must be readable by root only. In older versions
of ubuntu (at least Dapper Drake) the following commands fixed the
problem:
chmod +s /usr/lib/gnome-screensaver/gnome-screensaver-dialog
chmod +s