Problems with SSL, Pam/SSHD Authentication & FDS

Dave Della Costa <dellacod@xxxxxxxxxxxxx> · Thu, 09 Nov 2006 12:54:04 -0500

Hi folks,

This isn't strictly a FDS question (I think!) but I'm hoping there are 
some people on the list who have significant experience and can offer 
advice.

I've gotten FDS set up, I've generated the cert and imported it into my 
client machine's /etc/openldap/cacerts directory.  When I run

ldapsearch -ZZ

..on the client machine it works fine; this wasn't working correctly 
until I did a few tweaks in my /etc/openldap/ldap.conf directory 
(specifically, I had an IP address instead of hostname, so I was getting 
a 'host doesn't match cert' or something like that error).

So, it seems like SSL is set up and working fine, BUT, I cannot do sshd 
authentication via SSL.  As soon as I uncomment 'ssl on' I start getting 
this in my /var/log/messages:

Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:47 a last message repeated 3 times
Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 4 
seconds)...
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can't contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 8 
seconds)...

When I turn it back off, it binds to the regular (non-SSL) LDAP port on 
the FDS server and authentication happens just fine.

Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt
Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for blap 
from x.x.x.x port 48049 ssh2
Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap by 
(uid=0)
Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt

(if you hadn't noticed, I changed all the IPs and hostnames in the above 
log examples...).

What the heck could this be?  I'm not sure what the proper options in 
the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but 
so far I've tried (in addition to 'ssl on') setting sslpath, "ssl 
start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
screwed up in my /etc/openldap/ldap.conf?  I'm using the howto here: 
http://directory.fedora.redhat.com/wiki/Howto:SSL

Any help would be greatly appreciated.  Thanks!

Dave D.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users