[Fedora-directory-users] getting sh on RHAS5 to work with FDS.
Steven Jones
Steven.Jones at vuw.ac.nz
Mon Sep 17 23:41:33 UTC 2007
It seems the settings needed to get RHAS5 going differ to RHAS4....
This is how I did RHAS4, any ideas what additions or changes are needed
for RHAS5?
The client connects to the server but fails to get a password......I
disabled TLS but it still fails suggesting something a bit more
fundamental....
Red Hat AS4 client ssl setup
First thing, scp the ca cert over, otherwise you may not be able to scp
it over once you have edited some of the files below.
On the server if you have not already done so generate the certificate,
cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl
x509 \
-noout -hash -in cacert.asc`.0
There will now be two files of interest,
-rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0
-rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc
On the server, tar these into a file move the certificate over to the
client via scp,
Move them to /etc/openldap/cacerts/
And create a symbolic link,
ln -s 5be5959f.0 ca.crt
-rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0
-rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc
lrwxrwxrwx 1 root root 10 Sep 17 16:44 ca.crt -> 5be5959f.0
Check dependancies,
rpm -q nss_ldap , needs to be installed.
Move to the ldap directory and backup the files,
cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \
cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.conf
ssh uses the /etc/ldap.conf,
edit /etc/ldap.conf to this,
===============
# http://www.padl.com
URI ldap://ldap.vuw.ac.nz
base dc=vuw,dc=ac,dc=nz
pam_password md5
BASE dc=vuw,dc=ac,dc=nz
tls_cacertfile /etc/openldap/cacerts/ca.crt
TLS_REQCERT allow
host ldap.vuw.ac.nz
ssl start_tls
===============
Set up nsswitch.conf
Change,
=========
#passwd: db files ldap nis
#shadow: db files ldap nis
#group: db files ldap nis
=========
To,
=========
passwd: files ldap
shadow: files ldap
group: files ldap
=========
Setup /etc/pam.d/ssh
=========
auth sufficient /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_ldap.so use_first_pass
password sufficient /lib/security/pam_ldap.so use_first_pass
=========
Check settings for /etc/ssh/sshd_config
=========
#UsePAM no
UsePAM yes
=========
UsePAM has to be set to yes.
Restart ssh and try to connect to the client, the access log on the
server should show "start_TLS" and "SSL 256-bit AES".
============
[root at vuwunicvfdsm001 logs]# tail -f access
[18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1
[18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from
130.195.87.250 to 130.195.87.249
[18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES
8><-----------
=================
Another test you can do is,
ldapsearch -x -ZZ '(uid=jonesst1)'
Output on the client will typically be,
================
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=jonesst1)
# requesting: ALL
#
# jonesst1, People, vuw.ac.nz
dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz
givenName: Steven
sn: Jones
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: jonesst1
cn: Steven Jones
homeDirectory: /home/jonesst1
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
On the server check the access log for "startTLS",
[root at vuwunicvfdsm001 logs]# tail -f access
[14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67 connection from
130.195.87.250 to 130.195.87.249
[14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES
[14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND dn="" method=128
version=3
[14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH base="dc=vuw,dc=ac,dc=nz"
scope=2 filter="(uid=jonesst1)" attrs=ALL
[14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND
[14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed - U1
NB. If you get (-11) errors this suggests a ca.crt issue....
regards
Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070918/535a3381/attachment.htm>
More information about the Fedora-directory-users
mailing list