LDAP/SSL authentication in FC2

Yang Xiao yxiao2004 at gmail.com
Tue Sep 28 23:37:03 UTC 2004 

Did you restart sshd after changing the nsswitch settings?

Yang


On Tue, 28 Sep 2004 17:19:37 -0400, Harry Hoffman
<hhoffman at ip-solutions.net> wrote:
> Hi All,
> 
> I've done this before under Redhat but am having the damndest time with FC2.
> 
> My LDAP server is a FC1 box with OpenLDAP/TLS (stock standard from the
> distro).
> I believe I have everything setup properly. I can use "getent passwd"
> from the client machine and see all of the passwd entries on the ldap
> server.
> 
> In addition I can properly bind (using ldapsearch) as the user I'm
> attempting to ssh into the client as.
> 
> When I try to ssh in I get the following log errors:
> Sep 26 23:16:17 mason sshd[21438]: Illegal user user from
> ::ffff:192.168.4.65
> Sep 26 23:16:20 mason sshd[21438]: Failed password for illegal user user
> from ::ffff:192.168.4.65 port 33553 ssh2
> 
> Any help would be greatly appreciated
> 
> Thanks,
> Harry
> 
> The typical user entry looks something like this:
> 
> dn: uid=user,ou=People,dc=domain,dc=tld
> uid: user
> cn: User
> sn: User
> mail: user at domain
> mailRoutingAddress: user at domain
> mailHost: smtp.fqdn
> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: hostObject
> userPassword:: XXX
> shadowLastChange: 12523
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 500
> gidNumber: 500
> homeDirectory: /home/user
> mailLocalAddress: user at xxx.xxx
> host: ldap.client.fqdn
> 
> The server certificate is a self created CA with the proper certs on
> both server and client.
> 
> The clients ldap.conf looks like:
> uri ldaps://ldap.domain.tld/
> scope sub
> timelimit 30
> bind_timelimit 30
> idle_timelimit 3600
> pam_login_attribute uid
> pam_check_host_attr yes
> nss_base_passwd ou=People,dc=domain,dc=tld?one
> nss_base_shadow ou=People,dc=domain,dc=tld?one
> nss_base_group          ou=Group,dc=domain,dc=tld?one
> ssl on
> tls_checkpeer yes
> tls_cacertfile /usr/share/ssl/certs/ip-solutions.crt
> pam_password md5
> 
> /etc/pam.d/sshd looks like this:
> #%PAM-1.0
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient    /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so try_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required     /lib/security/pam_cracklib.so
> password   sufficient   /lib/security/pam_ldap.so
> password   required     /lib/security/pam_pwdb.so use_first_pass
> session    required     /lib/security/pam_unix_session.so
> 
> /etc/nsswitch.conf looks like this:
> passwd:     ldap [NOTFOUND=return] files
> shadow:     ldap [NOTFOUND=return] files
> group:       ldap [NOTFOUND=return]  files
> 
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list