Dave Della Costa wrote: > Hi folks, > > This isn't strictly a FDS question (I think!) but I'm hoping there are > some people on the list who have significant experience and can offer > advice. > > I've gotten FDS set up, I've generated the cert and imported it into > my client machine's /etc/openldap/cacerts directory. When I run > > ldapsearch -ZZ > > ..on the client machine it works fine; this wasn't working correctly > until I did a few tweaks in my /etc/openldap/ldap.conf directory > (specifically, I had an IP address instead of hostname, so I was > getting a 'host doesn't match cert' or something like that error). > > So, it seems like SSL is set up and working fine, BUT, I cannot do > sshd authentication via SSL. As soon as I uncomment 'ssl on' I start > getting this in my /var/log/messages: > > Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:47 a last message repeated 3 times > Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping > 4 seconds)... > Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server > ldap://x.x.com: Can't contact LDAP server > Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping > 8 seconds)... > > When I turn it back off, it binds to the regular (non-SSL) LDAP port > on the FDS server and authentication happens just fine. > > Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server > ldap://x.x.com after 1 attempt > Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap > Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for > blap from x.x.x.x port 48049 ssh2 > Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap > by (uid=0) > Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server > ldap://x.x.com after 1 attempt > > (if you hadn't noticed, I changed all the IPs and hostnames in the > above log examples...). > > What the heck could this be? I'm not sure what the proper options in > the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but > so far I've tried (in addition to 'ssl on') setting sslpath, "ssl > start_tls," tls_cacertfile, and tls_cacertdir. Or is this something > screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: > http://directory.fedora.redhat.com/wiki/Howto:SSL Did you edit /etc/ssh/sshd_config and set UsePAM yes ? > > Any help would be greatly appreciated. Thanks! > > Dave D. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061109/ba1ee565/attachment.bin
