|
I am also getting this error, [root@vuwunicoadmin01 etc]# service sshd
restart Stopping
sshd:
[ OK ] Starting
sshd:
[ OK ] [root@vuwunicoadmin01 etc]# ldapsearch -x
-ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root@vuwunicoadmin01 etc]# Yet ldapsearch works ok, [root@vuwunicoadmin01 etc]# ldapsearch -x
-b "ou=People,dc=vuw,dc=ac,dc=nz" # extended LDIF # # LDAPv3 # base
<ou=People,dc=vuw,dc=ac,dc=nz> with scope subtree # filter: (objectclass=*) # requesting: ALL # # People, vuw.ac.nz dn: ou=People,dc=vuw,dc=ac,dc=nz ou: People objectClass: top objectClass: organizationalunit # jonesst1, People, vuw.ac.nz dn:
uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 regards Steven Jones From:
fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Steven Jones It seems the settings needed to get RHAS5
going differ to RHAS4…. This is how I did RHAS4, any ideas what
additions or changes are needed for RHAS5? The client connects to the server but
fails to get a password……I disabled TLS but it still fails suggesting
something a bit more fundamental…. Red Hat AS4 client ssl setup First thing, scp the ca cert over, otherwise you may not be able to scp it over once you have edited some of the files below.On the server if you have not already done so generate the certificate,cd /opt/fedora-ds/alias ; cp cacert.asc /etc/openldap/cacerts/`openssl x509 \-noout -hash -in cacert.asc`.0There will now be two files of interest,-rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0-rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.ascOn the server, tar these into a file move the certificate over to the client via scp,Move them to /etc/openldap/cacerts/And create a symbolic link,ln –s 5be5959f.0 ca.crt-rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0-rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asclrwxrwxrwx 1 root root 10 Sep 17 16:44 ca.crt -> 5be5959f.0Check dependancies,rpm –q nss_ldap , needs to be installed.Move to the ldap directory and backup the files,cd /etc/openldap ; cp ldap.conf no-ssl-fully-working-ldap.conf \cd /etc/ ; cp ldap.conf no-ssl-fully-working-ldap.confssh uses the /etc/ldap.conf,edit /etc/ldap.conf to this,===============# http://www.padl.comURI ldap://ldap.vuw.ac.nzbase dc=vuw,dc=ac,dc=nzpam_password md5BASE dc=vuw,dc=ac,dc=nztls_cacertfile /etc/openldap/cacerts/ca.crtTLS_REQCERT allowhost ldap.vuw.ac.nzssl start_tls===============Set up nsswitch.confChange,=========#passwd: db files ldap #shadow: db files ldap #group: db files ldap =========To,=========passwd: files ldapshadow: files ldapgroup: files ldap=========Setup /etc/pam.d/ssh=========auth sufficient /lib/security/pam_ldap.so use_first_passaccount sufficient /lib/security/pam_ldap.so use_first_passpassword sufficient /lib/security/pam_ldap.so use_first_pass=========Check settings for /etc/ssh/sshd_config=========#UsePAM noUsePAM yes=========UsePAM has to be set to yes.Restart ssh and try to connect to the client, the access log on the server should show “start_TLS” and “SSL 256-bit AES”.============[root@vuwunicvfdsm001 logs]# tail -f access[18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1[18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249[18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0[18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES 8><-----------=================Another test you can do is,ldapsearch -x -ZZ '(uid=jonesst1)'
Output on the client will typically be, ================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL #
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1 On the server check the access log for
“startTLS”, [root@vuwunicvfdsm001 logs]# tail -f access [14/Sep/2007:12:52:59 +1200] conn=30 fd=67 slot=67
connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:12:52:59 +1200] conn=30 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:12:52:59 +1200] conn=30 op=0 RESULT err=0
tag=120 nentries=0 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 SSL 256-bit AES [14/Sep/2007:12:52:59 +1200] conn=30 op=1 BIND
dn="" method=128 version=3 [14/Sep/2007:12:52:59 +1200] conn=30 op=1 RESULT err=0
tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:12:52:59 +1200] conn=30 op=2 SRCH
base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)"
attrs=ALL [14/Sep/2007:12:52:59 +1200] conn=30 op=2 RESULT err=0
tag=101 nentries=1 etime=0 [14/Sep/2007:12:52:59 +1200] conn=30 op=3 UNBIND [14/Sep/2007:12:52:59 +1200] conn=30 op=3 fd=67 closed
- U1 NB. If you get (-11) errors this suggests a ca.crt
issue…. regards Steven |
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
