It seems the settings needed to get RHAS5 going differ to RHAS4.... This is how I did RHAS4, any ideas what additions or changes are needed for RHAS5? The client connects to the server but fails to get a password......I disabled TLS but it still fails suggesting something a bit more fundamental.... Red Hat AS4 client ssl setup First thing, scp the ca cert over, otherwise you may not be able to scp it over once you have edited some of the files below. On the server if you have not already done so generate the certificate, cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl x509 \ -noout -hash -in cacert.asc`.0 There will now be two files of interest, -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc On the server, tar these into a file move the certificate over to the client via scp, Move them to /etc/openldap/cacerts/ And create a symbolic link, ln -s 5be5959f.0 ca.crt -rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc lrwxrwxrwx 1 root root 10 Sep 17 16:44 ca.crt -> 5be5959f.0 Check dependancies, rpm -q nss_ldap , needs to be installed. Move to the ldap directory and backup the files, cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \ cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.conf ssh uses the /etc/ldap.conf, edit /etc/ldap.conf to this, =============== # http://www.padl.com URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz pam_password md5 BASE dc=vuw,dc=ac,dc=nz tls_cacertfile /etc/openldap/cacerts/ca.crt TLS_REQCERT allow host ldap.vuw.ac.nz ssl start_tls =============== Set up nsswitch.conf Change, ========= #passwd: db files ldap nis #shadow: db files ldap nis #group: db files ldap nis ========= To, ========= passwd: files ldap shadow: files ldap group: files ldap ========= Setup /etc/pam.d/ssh ========= auth sufficient /lib/security/pam_ldap.so use_first_pass account sufficient /lib/security/pam_ldap.so use_first_pass password sufficient /lib/security/pam_ldap.so use_first_pass ========= Check settings for /etc/ssh/sshd_config ========= #UsePAM no UsePAM yes ========= UsePAM has to be set to yes. Restart ssh and try to connect to the client, the access log on the server should show "start_TLS" and "SSL 256-bit AES". ============ [root at vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1 [18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES 8><----------- ================= Another test you can do is, ldapsearch -x -ZZ '(uid=jonesst1)' Output on the client will typically be, ================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL # # jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 On the server check the access log for "startTLS", [root at vuwunicvfdsm001 logs]# tail -f access [14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES [14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND dn="" method=128 version=3 [14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND [14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed - U1 NB. If you get (-11) errors this suggests a ca.crt issue.... regards Steven -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070918/535a3381/attachment.html
