> Did you edit /etc/ssh/sshd_config and set > UsePAM yes > ? Yes, perhaps I wasn't clear when I said >> When I turn it back off, it binds to the regular (non-SSL) LDAP port >> on the FDS server and authentication happens just fine. --I meant by this that logging in via SSH Authentication by LDAP credentials is fine if I don't have SSL-enabled LDAP on. Thanks, Dave Richard Megginson wrote: > Dave Della Costa wrote: > >> Hi folks, >> >> This isn't strictly a FDS question (I think!) but I'm hoping there are >> some people on the list who have significant experience and can offer >> advice. >> >> I've gotten FDS set up, I've generated the cert and imported it into >> my client machine's /etc/openldap/cacerts directory. When I run >> >> ldapsearch -ZZ >> >> ..on the client machine it works fine; this wasn't working correctly >> until I did a few tweaks in my /etc/openldap/ldap.conf directory >> (specifically, I had an IP address instead of hostname, so I was >> getting a 'host doesn't match cert' or something like that error). >> >> So, it seems like SSL is set up and working fine, BUT, I cannot do >> sshd authentication via SSL. As soon as I uncomment 'ssl on' I start >> getting this in my /var/log/messages: >> >> Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:47 a last message repeated 3 times >> Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping >> 4 seconds)... >> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server >> ldap://x.x.com: Can't contact LDAP server >> Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping >> 8 seconds)... >> >> When I turn it back off, it binds to the regular (non-SSL) LDAP port >> on the FDS server and authentication happens just fine. >> >> Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server >> ldap://x.x.com after 1 attempt >> Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; >> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap >> Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for >> blap from x.x.x.x port 48049 ssh2 >> Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap >> by (uid=0) >> Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server >> ldap://x.x.com after 1 attempt >> >> (if you hadn't noticed, I changed all the IPs and hostnames in the >> above log examples...). >> >> What the heck could this be? I'm not sure what the proper options in >> the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but >> so far I've tried (in addition to 'ssl on') setting sslpath, "ssl >> start_tls," tls_cacertfile, and tls_cacertdir. Or is this something >> screwed up in my /etc/openldap/ldap.conf? I'm using the howto here: >> http://directory.fedora.redhat.com/wiki/Howto:SSL > > Did you edit /etc/ssh/sshd_config and set > UsePAM yes > ? > >> >> Any help would be greatly appreciated. Thanks! >> >> Dave D. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
