[Fedora-directory-users] getting sh on RHAS5 to work with FDS.

Steven Jones Steven.Jones at vuw.ac.nz
Mon Sep 17 23:41:33 UTC 2007 

It seems the settings needed to get RHAS5 going differ to RHAS4....

 

This is how I did RHAS4, any ideas what additions or changes are needed
for RHAS5?

 

The client connects to the server but fails to get a password......I
disabled TLS but it still fails suggesting something a bit more
fundamental....

 

Red Hat AS4 client ssl setup

 
First thing, scp the ca cert over, otherwise you may not be able to scp
it over once you have edited some of the files below.
 
On the server if you have not already done so generate the certificate,
 
cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl
x509 \
-noout -hash -in cacert.asc`.0
 
There will now be two files of interest,
 
-rw-r--r--  1 root root   619 Sep 17 16:27 5be5959f.0
-rw-r--r--  1 root root   619 Sep 17 16:27 cacert.asc
 
On the server, tar these into a file move the certificate over to the
client via scp,
 
Move them to /etc/openldap/cacerts/
 
And create a symbolic link,
 
ln -s 5be5959f.0  ca.crt
 
-rw-r--r--  1 root root   619 Sep 17 16:27 5be5959f.0
-rw-r--r--  1 root root   619 Sep 17 16:27 cacert.asc
lrwxrwxrwx  1 root root    10 Sep 17 16:44 ca.crt -> 5be5959f.0
 
 
Check dependancies,
 
rpm -q nss_ldap , needs to be installed.
 
Move to the ldap directory and backup the files,
 
cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \
 
cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.conf
 
ssh uses the /etc/ldap.conf,
 
edit /etc/ldap.conf to this,
 
===============
# http://www.padl.com
URI     ldap://ldap.vuw.ac.nz
base dc=vuw,dc=ac,dc=nz
pam_password md5
BASE dc=vuw,dc=ac,dc=nz
tls_cacertfile /etc/openldap/cacerts/ca.crt
TLS_REQCERT allow
host ldap.vuw.ac.nz
ssl start_tls
===============
 
Set up nsswitch.conf
 
Change,
 
=========
#passwd:    db files ldap nis
#shadow:    db files ldap nis
#group:     db files ldap nis
=========
 
To,
 
=========
passwd:     files ldap
shadow:     files ldap
group:      files ldap
=========
 
Setup /etc/pam.d/ssh
 
=========
auth sufficient /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_ldap.so use_first_pass
password sufficient /lib/security/pam_ldap.so use_first_pass
=========
 
Check settings for /etc/ssh/sshd_config
 
=========
#UsePAM no
UsePAM yes
=========
 
UsePAM has to be set to yes.
 
Restart ssh and try to connect to the client, the access log on the
server should show "start_TLS" and "SSL 256-bit AES".
 
============
[root at vuwunicvfdsm001 logs]# tail -f access
[18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1
[18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from
130.195.87.250 to 130.195.87.249
[18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES
8><-----------
 
=================
 
Another test you can do is,
 
ldapsearch -x -ZZ '(uid=jonesst1)'

 

Output on the client will typically be,

 

================

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: (uid=jonesst1)

# requesting: ALL

#

 


# jonesst1, People, vuw.ac.nz

dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz

givenName: Steven

sn: Jones

loginShell: /bin/bash

uidNumber: 500

gidNumber: 500

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

objectClass: posixAccount

uid: jonesst1

cn: Steven Jones

homeDirectory: /home/jonesst1

 


# search result

search: 3

result: 0 Success

 


# numResponses: 2

# numEntries: 1

 

On the server check the access log for "startTLS",

 

[root at vuwunicvfdsm001 logs]# tail -f access

[14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67 connection from
130.195.87.250 to 130.195.87.249

[14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"

[14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0 tag=120
nentries=0 etime=0

[14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES

[14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND dn="" method=128
version=3

[14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""

[14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH base="dc=vuw,dc=ac,dc=nz"
scope=2 filter="(uid=jonesst1)" attrs=ALL

[14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0 tag=101
nentries=1 etime=0

[14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND

[14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed - U1

 

NB. If you get (-11) errors this suggests a ca.crt issue....

 

regards

 

Steven 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070918/535a3381/attachment.htm>

More information about the Fedora-directory-users mailing list