Did you edit /etc/ssh/sshd_config and set
UsePAM yes
?
Yes, perhaps I wasn't clear when I said
When I turn it back off, it binds to the regular (non-SSL) LDAP port
on the FDS server and authentication happens just fine.
--I meant by this that logging in via SSH Authentication by LDAP
credentials is fine if I don't have SSL-enabled LDAP on.
Thanks,
Dave
Richard Megginson wrote:
Dave Della Costa wrote:
Hi folks,
This isn't strictly a FDS question (I think!) but I'm hoping there are
some people on the list who have significant experience and can offer
advice.
I've gotten FDS set up, I've generated the cert and imported it into
my client machine's /etc/openldap/cacerts directory. When I run
ldapsearch -ZZ
..on the client machine it works fine; this wasn't working correctly
until I did a few tweaks in my /etc/openldap/ldap.conf directory
(specifically, I had an IP address instead of hostname, so I was
getting a 'host doesn't match cert' or something like that error).
So, it seems like SSL is set up and working fine, BUT, I cannot do
sshd authentication via SSL. As soon as I uncomment 'ssl on' I start
getting this in my /var/log/messages:
Nov 9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server
ldap://x.x.com: Can't contact LDAP server
Nov 9 12:46:47 a last message repeated 3 times
Nov 9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping
4 seconds)...
Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server
ldap://x.x.com: Can't contact LDAP server
Nov 9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server
ldap://x.x.com: Can't contact LDAP server
Nov 9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping
8 seconds)...
When I turn it back off, it binds to the regular (non-SSL) LDAP port
on the FDS server and authentication happens just fine.
Nov 9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server
ldap://x.x.com after 1 attempt
Nov 9 12:47:03 a sshd(pam_unix)[8395]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=blap
Nov 9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for
blap from x.x.x.x port 48049 ssh2
Nov 9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap
by (uid=0)
Nov 9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server
ldap://x.x.com after 1 attempt
(if you hadn't noticed, I changed all the IPs and hostnames in the
above log examples...).
What the heck could this be? I'm not sure what the proper options in
the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but
so far I've tried (in addition to 'ssl on') setting sslpath, "ssl
start_tls," tls_cacertfile, and tls_cacertdir. Or is this something
screwed up in my /etc/openldap/ldap.conf? I'm using the howto here:
http://directory.fedora.redhat.com/wiki/Howto:SSL
Did you edit /etc/ssh/sshd_config and set
UsePAM yes
?
Any help would be greatly appreciated. Thanks!
Dave D.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
