My logs seem to indicate that the connection is being encrypted; I can ssh
to a client server and get the password prompt, but when I enter the
password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
If I disable TLS everything works fine, the client server can query the FDS
and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly
formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or
suggestions on checking whether the cert file is in proper format
Also what's the UNBIND shown in the logs?
Thanks
>From: fedora-directory-users-request(a)redhat.com
>Reply-To: fedora-directory-users(a)redhat.com
>To: fedora-directory-users(a)redhat.com
>Subject: Fedora-directory-users Digest, Vol 19, Issue 1
>Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
>
>Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
>
>You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Fedora-directory-users digest..."
>
>
>Today's Topics:
>
> 1. pam_ldap with SSL/TLS (t b)
> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
> 4. Problem with SSL console in X in specific circumstances
> (Philip Kime)
> 5. FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Paxton, Darren)
> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
> 7. Re: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Nicholas Byrne)
> 8. Re: Memory usage (koniczynek)
> 9. Re: Memory usage (David Boreham)
> 10. Re: Memory usage (koniczynek)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 30 Nov 2006 12:31:50 -0500
>From: "t b" <mxheadroom(a)hotmail.com>
>Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: fedora-directory-users(a)redhat.com
>Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl>
>Content-Type: text/plain; format=flowed
>
>I am trying to setup pam_ldap to use TLS to communicate with the FDS, but
>having lots of problems doing so; it works if I use the unencrypted way but
>not if I use ldaps ( port 636 )
>
>I used the instructions at,
>http://directory.fedora.redhat.com/wiki/Howto:PAM
>
>Has anyone gotten PAM to work TLS
>
>
>Thanks
>
>_________________________________________________________________
>Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with
>Windows Media Player. Just Click PLAY.
>http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
>
>
>
>------------------------------
>
>Message: 2
>Date: Thu, 30 Nov 2006 13:00:56 -0500
>From: "Morris, Patrick" <patrick.morris(a)hp.com>
>Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
>Message-ID:
> <CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net>
>
>Content-Type: text/plain; charset="US-ASCII"
>
> > I am trying to setup pam_ldap to use TLS to communicate with
> > the FDS, but having lots of problems doing so; it works if I
> > use the unencrypted way but not if I use ldaps ( port 636 )
>
>Someone should jump in here and correct me if I'm wrong, but I believe
>it's normal for TLS connections to happen on the standard LDAP port.
>You should be able to tell from your logs whether the connection is
>encrypted or not.
>
>
>
>------------------------------
>
>Message: 3
>Date: Thu, 30 Nov 2006 11:08:08 -0700
>From: Richard Megginson <rmeggins(a)redhat.com>
>Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
>Message-ID: <456F1E08.40601(a)redhat.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Morris, Patrick wrote:
> >> I am trying to setup pam_ldap to use TLS to communicate with
> >> the FDS, but having lots of problems doing so; it works if I
> >> use the unencrypted way but not if I use ldaps ( port 636 )
> >>
> >
> > Someone should jump in here and correct me if I'm wrong, but I believe
> > it's normal for TLS connections to happen on the standard LDAP port.
> > You should be able to tell from your logs whether the connection is
> > encrypted or not.
> >
>Yes. The LDAP "preferred" way is to use the startTLS extended operation
>which starts a TLS session on the non-secure port. This will be logged
>in the access log.
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>