My logs seem to indicate that the connection is being encrypted; I
can
ssh to a client server and get the password prompt, but when I enter
the password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client
was able to successfully perform the
startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the
client had a problem and closed the connection.
Does the client print any errors? Are there any messages in the server
error log?
If I disable TLS everything works fine, the client server can query
the FDS and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly
formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look
like? or suggestions on checking whether the cert file is in proper
format
I'm not sure. PAM needs the ca cert of the CA that issued the directory
server server cert. See
for more information.
Also what's the UNBIND shown in the logs?
Thanks
> From: fedora-directory-users-request(a)redhat.com
> Reply-To: fedora-directory-users(a)redhat.com
> To: fedora-directory-users(a)redhat.com
> Subject: Fedora-directory-users Digest, Vol 19, Issue 1
> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
>
> Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
>
> You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fedora-directory-users digest..."
>
>
> Today's Topics:
>
> 1. pam_ldap with SSL/TLS (t b)
> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
> 4. Problem with SSL console in X in specific circumstances
> (Philip Kime)
> 5. FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Paxton, Darren)
> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
> 7. Re: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS (Nicholas Byrne)
> 8. Re: Memory usage (koniczynek)
> 9. Re: Memory usage (David Boreham)
> 10. Re: Memory usage (koniczynek)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 30 Nov 2006 12:31:50 -0500
> From: "t b" <mxheadroom(a)hotmail.com>
> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
> To: fedora-directory-users(a)redhat.com
> Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl>
> Content-Type: text/plain; format=flowed
>
> I am trying to setup pam_ldap to use TLS to communicate with the FDS,
> but
> having lots of problems doing so; it works if I use the unencrypted
> way but
> not if I use ldaps ( port 636 )
>
> I used the instructions at,
>
http://directory.fedora.redhat.com/wiki/Howto:PAM
>
> Has anyone gotten PAM to work TLS
>
>
> Thanks
>
> _________________________________________________________________
> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly
> with
> Windows Media Player. Just Click PLAY.
>
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 30 Nov 2006 13:00:56 -0500
> From: "Morris, Patrick" <patrick.morris(a)hp.com>
> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID:
> <CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net>
>
>
> Content-Type: text/plain; charset="US-ASCII"
>
> > I am trying to setup pam_ldap to use TLS to communicate with
> > the FDS, but having lots of problems doing so; it works if I
> > use the unencrypted way but not if I use ldaps ( port 636 )
>
> Someone should jump in here and correct me if I'm wrong, but I believe
> it's normal for TLS connections to happen on the standard LDAP port.
> You should be able to tell from your logs whether the connection is
> encrypted or not.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 30 Nov 2006 11:08:08 -0700
> From: Richard Megginson <rmeggins(a)redhat.com>
> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <456F1E08.40601(a)redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Morris, Patrick wrote:
> >> I am trying to setup pam_ldap to use TLS to communicate with
> >> the FDS, but having lots of problems doing so; it works if I
> >> use the unencrypted way but not if I use ldaps ( port 636 )
> >>
> >
> > Someone should jump in here and correct me if I'm wrong, but I believe
> > it's normal for TLS connections to happen on the standard LDAP port.
> > You should be able to tell from your logs whether the connection is
> > encrypted or not.
> >
> Yes. The LDAP "preferred" way is to use the startTLS extended operation
> which starts a TLS session on the non-secure port. This will be logged
> in the access log.
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3178 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200611...
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 30 Nov 2006 18:02:55 -0800
> From: "Philip Kime" <pkime(a)Shopzilla.com>
> Subject: [Fedora-directory-users] Problem with SSL console in X in
> specific circumstances
> To: <fedora-directory-users(a)redhat.com>
> Message-ID:
> <9C0091F428E697439E7A773FFD083427435BE3(a)szexchange.Shopzilla.inc>
> Content-Type: text/plain; charset="us-ascii"
>
> Here's the problem:
>
> Running startconsole (SSL) to a remote display on a PC X-server (xwin32)
> works fine and requires that my windows home dir on the PC X-server
> machine has .fedora-console/ containing cert8.db and key3.db, as you'd
> expect. If I rename this dir, the console hangs at the splash screen. So
> far, so good, all makes sense.
>
> If I try the same thing to cygwin's X server on same machine or to an X
> server on a Mac running OSX, startconsole always hangs as if it can't
> find ~/.fedora-console on the local machine. I've tried copying this dir
> to what cygwin/OSX thinks is the user's home dir but no luck. Where
> should I put the Cert db files under "real" UNIX X to get the SSL
> console to work? Also tried ~/.mmc as per the docs but I could never get
> this to work.
>
> PK
>
> --
> Philip Kime
> NOPS Systems Architect
> 310 401 0407
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200611...
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 1 Dec 2006 08:04:30 -0000
> From: "Paxton, Darren" <Darren.Paxton(a)mercer.com>
> Subject: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS
> To: <Fedora-directory-users(a)redhat.com>
> Message-ID:
> <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02(a)eidwpexms06.mercer.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Skipped content of type multipart/alternative-------------- next part
> --------------
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------
>
> Message: 6
> Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT)
> From: patrick ndjientcheu ngandjui <tchen_pat(a)yahoo.fr>
> Subject: [Fedora-directory-users] alias in fedora directory server
> To: Fedora-directory-users(a)redhat.com
> Message-ID: <20061201081042.78578.qmail(a)web25801.mail.ukl.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
> I would like to know how to use alias in fedora directory server.It
> seems that it is used for point to another entry in the directory,but
> i don't know how to use this feature.May someone helps me on this
> issue? I would really appreciate an example.
>
> Thanks
>
>
>
>
>
>
>
>
> ___________________________________________________________________________
>
> Découvrez une nouvelle façon d'obtenir des réponses à toutes vos
> questions !
> Profitez des connaissances, des opinions et des expériences des
> internautes sur Yahoo! Questions/Réponses
>
http://fr.answers.yahoo.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
https://www.redhat.com/archives/fedora-directory-users/attachments/200612...
>
>
> ------------------------------
>
> Message: 7
> Date: Fri, 01 Dec 2006 11:50:13 +0000
> From: Nicholas Byrne <nicholas.byrne(a)quadriga.com>
> Subject: Re: FW: [Fedora-directory-users] Extracting details from
> ActiveDirectoryto FDS
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <457016F5.5030202(a)quadriga.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Your messages got through - you can confirm by checking the archives -
>
https://www.redhat.com/archives/fedora-directory-users/
>
> I'm a new user as well so i'm afraid i can't answer your question, but
> if you keep asking i'm sure someone will know!
> Nick
>
> Paxton, Darren wrote:
> > Apologies for mailing yet again, however either my messages are not
> > getting through (something I don't believe as I keep getting the post
> > to the mailing list) - or for some reason, no one is willing to even
> > acknowledge my issue.
> >
> > In the spirit of the community - can someone at least acknowledge a
> > message as I find it quite disheartening that I have had no replies at
> > all even if just to point me somewhere for assistance.
> >
> >
> ------------------------------------------------------------------------
> > *From:* fedora-directory-users-bounces(a)redhat.com
> > [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of
> > *Paxton, Darren
> > *Sent:* 30 November 2006 08:46
> > *To:* General discussion list for the Fedora Directory server project.
> > *Subject:* RE: [Fedora-directory-users] Extracting details from
> > ActiveDirectoryto FDS
> >
> > Hi
> >
> > Has anyone had any thoughts on my query or can point me in the right
> > direction?
> >
> > As is the nature of AD, I would have thought it is possible to extract
> > this information using a scope setting or something similar.
> >
> > Thanks
> >
> > Darren
> >
> >
> ------------------------------------------------------------------------
> > *From:* fedora-directory-users-bounces(a)redhat.com
> > [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of
> > *Paxton, Darren
> > *Sent:* 24 November 2006 14:56
> > *To:* fedora-directory-users(a)redhat.com
> > *Subject:* [Fedora-directory-users] Extracting details from Active
> > Directoryto FDS
> >
> > Hi all,
> >
> > I've been tinkering with integrating our Linux devices into our AD
> > domain for some time and I've hit a few brick walls, however I've
> > recently discovered FDS and the synchronisation features with AD.
> >
> > I've managed to set up a few replication jobs, however due to the
> > extensive nature of our AD, I've realised that the sync only takes
> > the group and user objects from the OU or CN being specified.
> >
> > Is there any way I can specify that it should traverse all
> > subtrees of an OU and extract all that information back into FDS?
> >
> > Thanks
> >
> > Darren
> >
> > --
> > Darren Paxton
> > EMEA Tier2
> > Red Hat Certified Engineer
> > VMware Certified Professional
> > MGTI Centralised ops
> >
> >
> > This e-mail and any attachments may be confidential or legally
> > privileged.If you received this message in error or are not the
> > intended recipient, you should destroy the email message and any
> > attachments or copies, and you are prohibited from retaining,
> > distributing, disclosing or using any information contained herein.
> > Please inform us of the erroneous delivery by return e-mail. Thank you
> > for your co-operation.
> >
> > Mercer Human Resource Consulting Limited is authorised and regulated
> > by the Financial Services Authority. Registered in England No. 984275.
> > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
> >
> >
> ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
>
> This e-mail is the property of Quadriga Worldwide Ltd, intended for
> the addressee only and confidential. Any dissemination, copying or
> distribution of this message or any attachments is strictly prohibited.
>
> If you have received this message in error, please notify us
> immediately by replying to the message and deleting it from your
> computer.
>
> Messages sent to and from Quadriga may be monitored.
>
> Quadriga cannot guarantee any message delivery method is secure or
> error-free. Information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses.
>
> We do not accept responsibility for any errors or omissions in this
> message and/or attachment that arise as a result of transmission.
>
> You should carry out your own virus checks before opening any
> attachment.
>
> Any views or opinions presented are solely those of the author and do
> not necessarily represent those of Quadriga.
>
>
>
> ------------------------------
>
> Message: 8
> Date: Fri, 01 Dec 2006 16:45:28 +0100
> From: koniczynek <koniczynek(a)uaznia.net>
> Subject: Re: [Fedora-directory-users] Memory usage
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <45704E18.3070705(a)uaznia.net>
> Content-Type: text/plain; charset=ISO-8859-2; format=flowed
>
> Richard Megginson napisa³(a):
> > This is an excellent cache/memory tuning document from a Sun employee,
> > primarily targeted to Sun DS users, but almost all of the
> information is
> > relevant to Fedora DS (since they share a common lineage).
> >
> >
http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
> Lets say I heven't got much time lately so without thinking I've changed
> in dse.ldif
> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> started to receive errors like: "3 Time limit exceeded" Someone do know
> what to do? ;)
>
> --
> xmpp/email: koniczynek(a)uaznia.net
> xmpp/email: koniczynek(a)gmail.com
>
>
>
> ------------------------------
>
> Message: 9
> Date: Fri, 01 Dec 2006 09:15:14 -0700
> From: David Boreham <david_list(a)boreham.org>
> Subject: Re: [Fedora-directory-users] Memory usage
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <45705512.4070808(a)boreham.org>
> Content-Type: text/plain; charset=ISO-8859-2; format=flowed
>
> koniczynek wrote:
>
> > Richard Megginson napisa³(a):
> >
> >> This is an excellent cache/memory tuning document from a Sun
> >> employee, primarily targeted to Sun DS users, but almost all of the
> >> information is relevant to Fedora DS (since they share a common
> >> lineage).
> >>
> >>
http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
> >
> > Lets say I heven't got much time lately so without thinking I've
> > changed in dse.ldif
> > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> > started to receive errors like: "3 Time limit exceeded" Someone do
> > know what to do? ;)
> >
> Change it back ?
>
>
>
>
>
> ------------------------------
>
> Message: 10
> Date: Fri, 01 Dec 2006 17:53:22 +0100
> From: koniczynek <koniczynek(a)uaznia.net>
> Subject: Re: [Fedora-directory-users] Memory usage
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <45705E02.7020709(a)uaznia.net>
> Content-Type: text/plain; charset=ISO-8859-2
>
> David Boreham, dnia 2006-12-01 17:15 napisal:
> >> Lets say I heven't got much time lately so without thinking I've
> >> changed in dse.ldif
> >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> >> started to receive errors like: "3 Time limit exceeded" Someone
do
> >> know what to do? ;)
> > Change it back ?
> man, please, show some respect ;) I did change it back, but to no avail.
> Also I can say (to stop further questions): yes, I've stopped the server
> before change.
>
> --
> email/xmpp: koniczynek(a)uaznia.net
>
>
>
> ------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> End of Fedora-directory-users Digest, Vol 19, Issue 1
> *****************************************************
_________________________________________________________________
Off to school, going on a trip, or moving? Windows Live (MSN)
Messenger lets you stay in touch with friends and family wherever you
go. Click here to find out how to sign up!
http://www.telusmobility.com/msnxbox/
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users