Problems with SSL, Pam/SSHD Authentication & FDS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi folks,

This isn't strictly a FDS question (I think!) but I'm hoping there are 
some people on the list who have significant experience and can offer 
advice.

I've gotten FDS set up, I've generated the cert and imported it into my 
client machine's /etc/openldap/cacerts directory.  When I run

ldapsearch -ZZ

..on the client machine it works fine; this wasn't working correctly 
until I did a few tweaks in my /etc/openldap/ldap.conf directory 
(specifically, I had an IP address instead of hostname, so I was getting 
a 'host doesn't match cert' or something like that error).

So, it seems like SSL is set up and working fine, BUT, I cannot do sshd 
authentication via SSL.  As soon as I uncomment 'ssl on' I start getting 
this in my /var/log/messages:

Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:47 a last message repeated 3 times
Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 4 
seconds)...
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 8 
seconds)...

When I turn it back off, it binds to the regular (non-SSL) LDAP port on 
the FDS server and authentication happens just fine.

Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt
Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for blap 
from x.x.x.x port 48049 ssh2
Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap by 
(uid=0)
Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt

(if you hadn't noticed, I changed all the IPs and hostnames in the above 
log examples...).

What the heck could this be?  I'm not sure what the proper options in 
the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but 
so far I've tried (in addition to 'ssl on') setting sslpath, "ssl 
start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
screwed up in my /etc/openldap/ldap.conf?  I'm using the howto here: 
http://directory.fedora.redhat.com/wiki/Howto:SSL

Any help would be greatly appreciated.  Thanks!

Dave D.
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux