[Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS

Richard Megginson rmeggins at redhat.com
Thu Nov 9 18:02:49 UTC 2006


Dave Della Costa wrote:
> Hi folks,
>
> This isn't strictly a FDS question (I think!) but I'm hoping there are 
> some people on the list who have significant experience and can offer 
> advice.
>
> I've gotten FDS set up, I've generated the cert and imported it into 
> my client machine's /etc/openldap/cacerts directory.  When I run
>
> ldapsearch -ZZ
>
> ..on the client machine it works fine; this wasn't working correctly 
> until I did a few tweaks in my /etc/openldap/ldap.conf directory 
> (specifically, I had an IP address instead of hostname, so I was 
> getting a 'host doesn't match cert' or something like that error).
>
> So, it seems like SSL is set up and working fine, BUT, I cannot do 
> sshd authentication via SSL.  As soon as I uncomment 'ssl on' I start 
> getting this in my /var/log/messages:
>
> Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can't contact LDAP server
> Nov  9 12:46:47 a last message repeated 3 times
> Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
> 4 seconds)...
> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can't contact LDAP server
> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can't contact LDAP server
> Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
> 8 seconds)...
>
> When I turn it back off, it binds to the regular (non-SSL) LDAP port 
> on the FDS server and authentication happens just fine.
>
> Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
> ldap://x.x.com after 1 attempt
> Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
> Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for 
> blap from x.x.x.x port 48049 ssh2
> Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap 
> by (uid=0)
> Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
> ldap://x.x.com after 1 attempt
>
> (if you hadn't noticed, I changed all the IPs and hostnames in the 
> above log examples...).
>
> What the heck could this be?  I'm not sure what the proper options in 
> the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but 
> so far I've tried (in addition to 'ssl on') setting sslpath, "ssl 
> start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
> screwed up in my /etc/openldap/ldap.conf?  I'm using the howto here: 
> http://directory.fedora.redhat.com/wiki/Howto:SSL
Did you edit /etc/ssh/sshd_config and set
UsePAM yes
?
>
> Any help would be greatly appreciated.  Thanks!
>
> Dave D.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061109/ba1ee565/attachment.bin>


More information about the Fedora-directory-users mailing list