From: fedora-directory-users-request(a)redhat.com
Reply-To: fedora-directory-users(a)redhat.com
To: fedora-directory-users(a)redhat.com
Subject: Fedora-directory-users Digest, Vol 19, Issue 3
Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
Send Fedora-directory-users mailing list submissions to
fedora-directory-users(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-directory-users
or, via email, send a message with subject or body 'help' to
fedora-directory-users-request(a)redhat.com
You can reach the person managing the list at
fedora-directory-users-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1
(Richard Megginson)
2. Re: AD + FDS sync stops working? (To Ngan)
3. Re: Memory usage (koniczynek)
----------------------------------------------------------------------
Message: 1
Date: Fri, 01 Dec 2006 12:55:24 -0700
From: Richard Megginson <rmeggins(a)redhat.com>
Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users
Digest, Vol 19, Issue 1
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Message-ID: <457088AC.1030004(a)redhat.com>
Content-Type: text/plain; charset="iso-8859-1"
t b wrote:
> My logs seem to indicate that the connection is being encrypted; I can
> ssh to a client server and get the password prompt, but when I enter
> the password it just returns me to the password prompt again
>
> [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
> xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
> [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the
startTLS extended operation and start using SSL.
> [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
> [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection.
Does the client print any errors? Are there any messages in the server
error log?
>
> If I disable TLS everything works fine, the client server can query
> the FDS and auth the client properly
>
> I am not sure if the problem has to do with the pam_ldap not properly
> formatted or the cert file not in proper format
>
> Does anyone have an example of what the pam_ldap config should look
> like? or suggestions on checking whether the cert file is in proper
> format
I'm not sure. PAM needs the ca cert of the CA that issued the directory
server server cert. See
http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
>
> Also what's the UNBIND shown in the logs?
>
> Thanks
>
Problem solved, the following link added the missing part to the puzzle,
http://www.fedoraforum.org/forum/archive/index.php/t-1997.html
The problem turns out to be that when you run the command
/usr/bin/authconfig as recommended at,
http://directory.fedora.redhat.com/wiki/Howto:PAM it does not make all of
the necessary adjustments to /etc/ldap.conf -- you need to also add the
settings mentioned in the link above
Hopes this helps anyone having the same issues, and thanks to everyone for
their suggestions
As an addition, I am trying to download the posixuser auto creation script
from,
http://www.netauth.com/~jacksonm/ldap/newuser.pl.txt but the port
seems to be blocked; does anyone know where I can get a hold of that script
Thanks
> >> From: fedora-directory-users-request(a)redhat.com
> >> Reply-To: fedora-directory-users(a)redhat.com
> >> To: fedora-directory-users(a)redhat.com
> >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1
> >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
> >>
> >> Send Fedora-directory-users mailing list submissions to
> >> fedora-directory-users(a)redhat.com
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >> or, via email, send a message with subject or body 'help' to
> >> fedora-directory-users-request(a)redhat.com
> >>
> >> You can reach the person managing the list at
> >> fedora-directory-users-owner(a)redhat.com
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Fedora-directory-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. pam_ldap with SSL/TLS (t b)
> >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
> >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
> >> 4. Problem with SSL console in X in specific circumstances
> >> (Philip Kime)
> >> 5. FW: [Fedora-directory-users] Extracting details from
> >> ActiveDirectoryto FDS (Paxton, Darren)
> >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
> >> 7. Re: FW: [Fedora-directory-users] Extracting details from
> >> ActiveDirectoryto FDS (Nicholas Byrne)
> >> 8. Re: Memory usage (koniczynek)
> >> 9. Re: Memory usage (David Boreham)
> >> 10. Re: Memory usage (koniczynek)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Thu, 30 Nov 2006 12:31:50 -0500
> >> From: "t b" <mxheadroom(a)hotmail.com>
> >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: fedora-directory-users(a)redhat.com
> >> Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl>
> >> Content-Type: text/plain; format=flowed
> >>
> >> I am trying to setup pam_ldap to use TLS to communicate with the FDS,
> >> but
> >> having lots of problems doing so; it works if I use the unencrypted
> >> way but
> >> not if I use ldaps ( port 636 )
> >>
> >> I used the instructions at,
> >>
http://directory.fedora.redhat.com/wiki/Howto:PAM
> >>
> >> Has anyone gotten PAM to work TLS
> >>
> >>
> >> Thanks
> >>
> >> _________________________________________________________________
> >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly
> >> with
> >> Windows Media Player. Just Click PLAY.
> >>
>http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 2
> >> Date: Thu, 30 Nov 2006 13:00:56 -0500
> >> From: "Morris, Patrick" <patrick.morris(a)hp.com>
> >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: "General discussion list for the Fedora Directory server
project."
> >> <fedora-directory-users(a)redhat.com>
> >> Message-ID:
> >>
><CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net>
> >>
> >>
> >> Content-Type: text/plain; charset="US-ASCII"
> >>
> >> > I am trying to setup pam_ldap to use TLS to communicate with
> >> > the FDS, but having lots of problems doing so; it works if I
> >> > use the unencrypted way but not if I use ldaps ( port 636 )
> >>
> >> Someone should jump in here and correct me if I'm wrong, but I believe
> >> it's normal for TLS connections to happen on the standard LDAP port.
> >> You should be able to tell from your logs whether the connection is
> >> encrypted or not.
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 3
> >> Date: Thu, 30 Nov 2006 11:08:08 -0700
> >> From: Richard Megginson <rmeggins(a)redhat.com>
> >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: "General discussion list for the Fedora Directory server
project."
> >> <fedora-directory-users(a)redhat.com>
> >> Message-ID: <456F1E08.40601(a)redhat.com>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> Morris, Patrick wrote:
> >> >> I am trying to setup pam_ldap to use TLS to communicate with
> >> >> the FDS, but having lots of problems doing so; it works if I
> >> >> use the unencrypted way but not if I use ldaps ( port 636 )
> >> >>
> >> >
> >> > Someone should jump in here and correct me if I'm wrong, but I
>believe
> >> > it's normal for TLS connections to happen on the standard LDAP
port.
> >> > You should be able to tell from your logs whether the connection is
> >> > encrypted or not.
> >> >
> >> Yes. The LDAP "preferred" way is to use the startTLS extended
>operation
> >> which starts a TLS session on the non-secure port. This will be logged
> >> in the access log.
> >> > --
> >> > Fedora-directory-users mailing list
> >> > Fedora-directory-users(a)redhat.com
> >> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >> >
> >>