[Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS
Richard Megginson
rmeggins at redhat.com
Thu Nov 9 18:02:49 UTC 2006
Dave Della Costa wrote:
> Hi folks,
>
> This isn't strictly a FDS question (I think!) but I'm hoping there are
> some people on the list who have significant experience and can offer
> advice.
>
> I've gotten FDS set up, I've generated the cert and imported it into
> my client machine's /etc/openldap/cacerts directory. When I run
>
> ldapsearch -ZZ
>
> ..on the client machine it works fine; this wasn't working correctly
> until I did a few tweaks in my /etc/openldap/ldap.conf directory
> (specifically, I had an IP address instead of hostname, so I was
> getting a 'host doesn't match cert' or something like that error).
>
> So, it seems like SSL is set up and working fine, BUT, I cannot do
> sshd authentication via SSL. As soon as I uncomment 'ssl on' I start
> getting this in my /var/log/messages:
>
> Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server
> ldap://x.x.com: Can't contact LDAP server
> Nov 9 12:46:47 a last message repeated 3 times
> Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping
> 4 seconds)...
> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server
> ldap://x.x.com: Can't contact LDAP server
> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server
> ldap://x.x.com: Can't contact LDAP server
> Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping
> 8 seconds)...
>
> When I turn it back off, it binds to the regular (non-SSL) LDAP port
> on the FDS server and authentication happens just fine.
>
> Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server
> ldap://x.x.com after 1 attempt
> Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap
> Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for
> blap from x.x.x.x port 48049 ssh2
> Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap
> by (uid=0)
> Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server
> ldap://x.x.com after 1 attempt
>
> (if you hadn't noticed, I changed all the IPs and hostnames in the
> above log examples...).
>
> What the heck could this be? I'm not sure what the proper options in
> the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but
> so far I've tried (in addition to 'ssl on') setting sslpath, "ssl
> start_tls," tls_cacertfile, and tls_cacertdir. Or is this something
> screwed up in my /etc/openldap/ldap.conf? I'm using the howto here:
> http://directory.fedora.redhat.com/wiki/Howto:SSL
Did you edit /etc/ssh/sshd_config and set
UsePAM yes
?
>
> Any help would be greatly appreciated. Thanks!
>
> Dave D.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061109/ba1ee565/attachment.bin>
More information about the Fedora-directory-users
mailing list