TLS Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 25, 2008 at 1:32 PM, Dharmin Mandalia <dharmin98 at hotmail.com>wrote:

>
> Hello
>
> commented out "ssl start_tls" and added "ssl on" , in ldap.conf file  get
> below errors in /var/log/secure file :-
>
>
> Jul 24 15:55:40 matrix sshd[2480]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=matrix.trues.co.uk user=test1
> Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact
> LDAP server
> Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: reconnecting to LDAP server...
> Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact
> LDAP server
> Jul 24 15:55:42 matrix sshd[2480]: Failed password for test1 from
> 192.168.1.129 port 59436 ssh2
>

What do you see in the FDS logs  (tail
/var/log/dirsrv/slapd-<instance-name>/access
Can you check the basic things

1. Is the DIrectory server running on port 636 (netstat -tlnp | grep 636)

2. If you do ldapsearch -x -ZZ -b "your basedn" are you able to search

3. Does getent passwd and getent group enumerate users on the client ?

Regards
Niranjan

>
>
> where the server matrix is FDS  what I did was from FDS  "ssh
> matrix.trues.co.uk -l test1"  where test1 users exists in ldap dir
>
> Regards
> Dharmin
>
>
>
> Hi,
>
> Can you check What happens if you specify
>
> ssl start_tls
>
> instead of "ssl on"
>
> Regards
> Niranjan
>
>
> On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia
> wrote:
>
> >
> > Hello  Nalin and all
> >
> > I just added "ssl  on"  to below /etc/ldap.conf file and get below error
> > msg in var/log/secure file :-
> >
> >
> > sshd[6212]: pam_unix(sshd:session): session closed for user test1
> > sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> > euid=0 tty=ssh ruser= rhost=192.168.1.1  user=test1
> > sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2
> > sshd[6248]: pam_unix(sshd:session): session opened for user test1 by
> > (uid=0)
> > sshd[6248]: pam_unix(sshd:session): session closed for user test1
> > sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> > euid=0 tty=ssh ruser= rhost=192.168.1.1  user=test1
> > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> > shd[6284]: pam_ldap: reconnecting to LDAP server...
> > sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> > sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
> >
> > With "ssl on" in ldap.conf, am unable to login via ssh
> >
> > any helpers please...
> >
> > regards
> > Dharmin
> >
> >
> >
> > ----------------------------------------
> >> Date: Thu, 24 Jul 2008 11:26:46 -0400
> >> From: [EMAIL PROTECTED]
> >> To: [EMAIL PROTECTED]
> >> CC: fedora-directory-users at redhat.com
> >> Subject: Re: TLS Issue
> >>
> >> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
> >>> I've enabled TLS and am getting below error msg's in /var/log/secure
> > file on Fedora 9, which is my newly configured FDS , if disable TLS , am
> > able to ssh onto the FDS server and with TLS enabled unable to login via
> > ssh.
> >> [snip]
> >>> sshd[5487]: nss_ldap: could not search LDAP server - Server is
> > unavailable
> >> [snip]
> >>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
> >> [snip]
> >>> ssl start_tls
> >>> tls_checkpeer yes
> >>> tls_cacertfile  /etc/openldap/cacerts/cacert.asc
> >>> pam_password md5
> >>> uri ldap://127.0.0.1/
> >>> tls_cacertdir /etc/openldap/cacerts
> >>
> >> If you're using SSL or TLS, the LDAP client library is going to compare
> >> the names in the certificate that the server uses against the value that
> >> was given in the client's configuration (in this case "127.0.0.1"), and
> >> it looks like they're not matching up here.
> >>
> >> Typically the certificate uses an actual hostname as a "CN" value in its
> >> subject, so you'd need to specify the server URI using a hostname rather
> >> than an IP address to make sure that they match.
> >>
> >> If that's not what's going on here, please post a copy of the
> >> certificate that the server's using so that we can have a look.
> >>
> >> HTH,
> >>
> >> Nalin
> >
>
> _________________________________________________________________
> Use video conversation to talk face-to-face with Windows Live Messenger.
>
> http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20080726/47019c7d/attachment.html 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux