Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Oh and I get the same failure when trying to get Debian etch to connect, so I am assuming there is something on the FDS that is wrong, or not as yet setup, rather than a client side issue....
Firewall is off....
Hosts.allow is ALL:ALL
Ldapsearch returns OK....so a pam issue in some form....maybe
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
________________________________
From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Monday, 10 September 2007 1:44 p.m. To: fedora-directory-users@redhat.com Subject: [Fedora-directory-users] ssh login fail
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones wrote:
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing…..
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK….
Also is there a way to search the archive for this list? I have tried Googling with no luck…
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Yes.
Thanks, I have this page book marked.
Content looks identical to what I have...I have spent days on this googling with no joy.
Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS.
I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
------------------------------------------------------------------------
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Is this the correct rpm to use on RHAS4-32bit-U5?
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm
Are there any dependencies on the server and clients not installed by default? I have everything installed that I can see documented but its possible I have missed something, or there is an un-documented change as version upgrade.
How practical is it to rip out any RHAS4 ldap client modules software and install Fedora ones?
Are there different password hash mechanisms between versions? If so how do I check for these?
These might seem odd Q's but I'm kinda desperate as to why I cannot get the system working....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 8:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
Yes.
Thanks, I have this page book marked.
Content looks identical to what I have...I have spent days on this googling with no joy.
Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS.
I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
------------------------------------------------------------------------
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
Is this the correct rpm to use on RHAS4-32bit-U5?
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm
Yes.
Are there any dependencies on the server and clients not installed by default? I have everything installed that I can see documented but its possible I have missed something, or there is an un-documented change as version upgrade.
rpm installation should tell you if you are missing some dependency of the server.
How practical is it to rip out any RHAS4 ldap client modules software and install Fedora ones?
I have no idea.
Are there different password hash mechanisms between versions? If so how do I check for these?
Fedora DS versions? If so, yes. I believe Fedora DS 7.1 supported only SHA, SSHA, and crypt. Fedora DS 1.0.1 added MD5. Fedora DS 1.0.4 added support for SHA and SSHA 256, 384, and 512.
These might seem odd Q's but I'm kinda desperate as to why I cannot get the system working....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 8:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
Yes.
Thanks, I have this page book marked.
Content looks identical to what I have...I have spent days on this googling with no joy.
Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS.
I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hi Steven!
On Mon, 10 Sep 2007, Steven Jones wrote:
Is this the correct rpm to use on RHAS4-32bit-U5?
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm
Are there any dependencies on the server and clients not installed by default? I have everything installed that I can see documented but its possible I have missed something, or there is an un-documented change as version upgrade.
How practical is it to rip out any RHAS4 ldap client modules software and install Fedora ones?
Are there different password hash mechanisms between versions? If so how do I check for these?
These might seem odd Q's but I'm kinda desperate as to why I cannot get the system working....
Configuration of EL4 with FDS is normally dirt-simple, if you use authconfig. All I've ever had to do is give it the server address and where to look, and off it went.
If you're getting an error that the server can't be contacted, it seems that maybe auth isn't correctly configured (or you have more basic network issues).
The most likely cause, off the top of my head, would be trying to using something like ldaps://ldapserver.yourdomain.com without having configured the server for SSL.
Hi,
See below.
Regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Patrick Morris Sent: Tuesday, 11 September 2007 9:01 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Hi Steven!
On Mon, 10 Sep 2007, Steven Jones wrote:
Is this the correct rpm to use on RHAS4-32bit-U5?
fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm
Are there any dependencies on the server and clients not installed by default? I have everything installed that I can see documented but
its
possible I have missed something, or there is an un-documented change
as
version upgrade.
How practical is it to rip out any RHAS4 ldap client modules software and install Fedora ones?
Are there different password hash mechanisms between versions? If so
how
do I check for these?
These might seem odd Q's but I'm kinda desperate as to why I cannot
get
the system working....
Configuration of EL4 with FDS is normally dirt-simple, if you use authconfig. All I've ever had to do is give it the server address and where to look, and off it went.
Thanks, I started by hand and recently re-ran using the authconfig tool and the gtk version...
I am pretty much convinced/agree that it should be very simple, I have read so many docs all saying the same thing that I am assuming I have missed read or mis-understood some really easy setting that causes this.....OpenLdap on Debian certainly was easy so it is likely I have either missed something, hit a terminal bug or I am doing the wrong thing.
If you're getting an error that the server can't be contacted, it seems that maybe auth isn't correctly configured (or you have more basic network issues).
I can do a ldapsearch at the command line on the client which returns info
The problem is also in login, so I am pretty sure it is a pam client issue....or encryption....
Eg.,
==============
[root@vuwunicvfwall02 pam.d]# ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts
# Accounting Managers, groups, vuw.ac.nz dn: cn=Accounting Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries
# HR Managers, groups, vuw.ac.nz dn: cn=HR Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries
# QA Managers, groups, vuw.ac.nz dn: cn=QA Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==============
Thanks, I started by hand and recently re-ran using the authconfig tool...
The most likely cause, off the top of my head, would be trying to using something like ldaps://ldapserver.yourdomain.com without having configured the server for SSL.
As far as I know I am not running ssl but it is possible one end is and the other is not, however FDS is not set to do so in the gui and the client has no setting I can see beyond //etc/ldap.conf saying "ssl no".
Hmmm possibly I have my test user in the wrong place in LDAP and hence I get a null return....cant see how to check for this though....
Regards
Steven
Steven Jones wrote:
Yes.
Thanks, I have this page book marked.
Content looks identical to what I have...I have spent days on this googling with no joy.
Since a Debian LDAP client also does not work I suspect it is a server side FDS mis-configuration and not client side, but I could be wrong. Previously I had a Debian Openldap setup working and that was fine. So it looks like something is missing/broken in FDS.
I find it interesting that yours is the only reply for what I assume is a default type of problem....suggests a poor likelihood of the product being supportable long term....
I'm assuming the lack of replies means that 1) people just got it to work by following the directions and didn't run into the problems you are seeing 2) just don't have the time to reply 3) have no experience with setting up ssh. I know other people on this list have been able to integrate ssh with Fedora DS. I'm sorry that you have not. I'm not sure why you have not been able to. You could look at the Fedora DS access and error logs, the pam/ssh logs, and even make Fedora DS logging more verbose - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
I would start with the Fedora DS access log. See if ssh is making a connection to Fedora DS, if so, see what types of operations are being sent, and the responses to those operations. For searches, see what the base DN, filter, and attributes being requested are.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 3:31 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive for this list?
Have you seen this: http://directory.fedoraproject.org/wiki/Howto:PAM - search for ssh
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried Googling with no luck...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
8><----
I would start with the Fedora DS access log. See if ssh is making a connection to Fedora DS, if so, see what types of operations are being sent, and the responses to those operations. For searches, see what the
base DN, filter, and attributes being requested are.
This helped.....the ldapsearch was being logged but the pam search was not so....
I blew away /etc/ldap.conf and sym linked it to /etc/openldap/ldap.conf, then blindly added these lines to its somewhat short form,
======= scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl ===========
The log now shows,
8><----- PosixAccount)(uid=root))" attrs=ALL [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH base="ou=Group,dc=cognifide,dc=pl" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
So pam is now actually querying the LDAP server it seems, it is not getting it right but it's a small step.
I would seem to need to do some config around this area,
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz ssl no scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl
As I still get no reply/successful login.
Regards
Steven
Steven Jones wrote:
8><----
I would start with the Fedora DS access log. See if ssh is making a connection to Fedora DS, if so, see what types of operations are being sent, and the responses to those operations. For searches, see what the
base DN, filter, and attributes being requested are.
This helped.....the ldapsearch was being logged but the pam search was not so....
I blew away /etc/ldap.conf and sym linked it to /etc/openldap/ldap.conf, then blindly added these lines to its somewhat short form,
======= scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl ===========
The log now shows,
8><----- PosixAccount)(uid=root))" attrs=ALL [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH base="ou=Group,dc=cognifide,dc=pl" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
So pam is now actually querying the LDAP server it seems, it is not getting it right but it's a small step.
err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does not exist. In your file above, you have
suffix "dc=vuw,dc=ac,dc=nz"
Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ?
I would seem to need to do some config around this area,
# # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz ssl no scope sub suffix "dc=vuw,dc=ac,dc=nz" #TLS_CACERTDIR /etc/openldap/cacerts pam_password exop ldap_version 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberuid nss_base_passwd ou=Computers,dc=cognifide,dc=pl nss_base_passwd ou=People,dc=cognifide,dc=pl nss_base_shadow ou=People,dc=cognifide,dc=pl nss_base_group ou=Group,dc=cognifide,dc=pl nss_base_hosts ou=Hosts,dc=cognifide,dc=pl
As I still get no reply/successful login.
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
8><----
The log now shows,
8><----- PosixAccount)(uid=root))" attrs=ALL [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH base="ou=Group,dc=cognifide,dc=pl" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
So pam is now actually querying the LDAP server it seems, it is not getting it right but it's a small step.
err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does not exist. In your file above, you have
suffix "dc=vuw,dc=ac,dc=nz"
Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ?
I have no idea....I suspect not, need an English explanation on some of this stuff...Fedora has a nice gui but it hides things so trying to determine if the test user is in the right "place" for the external query would seem an issue...
Is there a command line syntax to run to see if I get a positive password return?
Regards
Steven
Steven Jones wrote:
8><----
The log now shows,
8><----- PosixAccount)(uid=root))" attrs=ALL [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH base="ou=Group,dc=cognifide,dc=pl" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104 (Connection reset by peer) - TCP connection reset by peer.
So pam is now actually querying the LDAP server it seems, it is not getting it right but it's a small step.
err=32 means no such object. That is, ou=Group,dc=cognifide,dc=pl does not exist. In your file above, you have
suffix "dc=vuw,dc=ac,dc=nz"
Do you have ou=Groups,dc=vuw,dc=ac,dc=nz ?
I have no idea....I suspect not, need an English explanation on some of this stuff...Fedora has a nice gui but it hides things so trying to determine if the test user is in the right "place" for the external query would seem an issue...
Is there a command line syntax to run to see if I get a positive password return?
ldapsearch -x -b dc=vuw,dc=ac,dc=nz Will see if dc=vuw,dc=ac,dc=nz exists and if there is any data there. I'm not sure what you mean by "positive password return".
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used to try and login or asks for the hash to do a comparison if it matches a login is allowed....
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place, or some other error.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used to try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place, or some other error.
looking in the wrong place would be my guess, based on the err=32 in the previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
There you go,
Looks like it is not in the right place in FDS....or it is but LDAP is looking in the wrong place...
root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: ou=people,dc=vuw,dc=ac,dc=nz [root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: dc=vuw,dc=ac,dc=nz
ho hum....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used
to
try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place,
or
some other error.
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I am getting things like this, but I did not enter them, so these are some sort of defaults?
8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><--------
Yet I cannot find then under the FDS gui....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 12:41 p.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
There you go,
Looks like it is not in the right place in FDS....or it is but LDAP is looking in the wrong place...
root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: ou=people,dc=vuw,dc=ac,dc=nz [root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: dc=vuw,dc=ac,dc=nz
ho hum....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used
to
try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place,
or
some other error.
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
I am getting things like this, but I did not enter them, so these are some sort of defaults?
Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries.
8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><--------
Yet I cannot find then under the FDS gui....
Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or use the Tasks tab - there is a button there to do the same thing.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 11 September 2007 12:41 p.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
There you go,
Looks like it is not in the right place in FDS....or it is but LDAP is looking in the wrong place...
root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: ou=people,dc=vuw,dc=ac,dc=nz [root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,dc=vuw,dc=ac,dc=nz" -w xxxxx -s base -b "" ldap_bind: No such object (32) matched DN: dc=vuw,dc=ac,dc=nz
ho hum....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used
to
try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place,
or
some other error.
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Thanks, Comments as below....
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 12 September 2007 1:22 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
I am getting things like this, but I did not enter them, so these are some sort of defaults?
Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries.
So, "typical" can actually be a bad setting to choose...possibly a simple explanation inside the setup script (unless its there and I missed it).
Think I will spend the day writing up my own notes...the RDS and FDS manuals obviously don't come down to my level.
;]
8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><--------
Yet I cannot find then under the FDS gui....
Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or use
the Tasks tab - there is a button there to do the same thing.
Yes, I had the user in the wrong place because of this. When I deleted the user and re-created "people" with the "user" as a member and fixed the posix issue it worked.
Thanks for your efforts....I was going to give up today and go back to open-ldap...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones wrote:
Thanks, Comments as below....
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 12 September 2007 1:22 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
I am getting things like this, but I did not enter them, so these are some sort of defaults?
Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries.
So, "typical" can actually be a bad setting to choose...
Rarely, and only for advanced users.
possibly a simple explanation inside the setup script (unless its there and I missed it).
Typical is the default because it is the most useful, and most people usually want the default entries like ou=People.
Think I will spend the day writing up my own notes...the RDS and FDS manuals obviously don't come down to my level.
Please consider contributing them to the Fedora DS wiki.
;]
8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><--------
Yet I cannot find then under the FDS gui....
Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or use
the Tasks tab - there is a button there to do the same thing.
Yes, I had the user in the wrong place because of this. When I deleted the user and re-created "people" with the "user" as a member and fixed the posix issue it worked.
Thanks for your efforts....I was going to give up today and go back to open-ldap...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
RE: FDS Wiki ~ I write stuff on my web site so I can refer to my notes from anywhere...I have no issue on doing/posting a FDS wiki page....once I have a set of notes I am happy with, I will get back to you....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Wednesday, 12 September 2007 9:37 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Thanks, Comments as below....
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
Richard
Megginson Sent: Wednesday, 12 September 2007 1:22 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
I am getting things like this, but I did not enter them, so these are some sort of defaults?
Yes. By default, Fedora DS setup will create some organizational entries for you. If you do not want to do this, you can run setup in Custom mode and tell it to not add these entries.
So, "typical" can actually be a bad setting to choose...
Rarely, and only for advanced users.
possibly a simple explanation inside the setup script (unless its there and I missed it).
Typical is the default because it is the most useful, and most people usually want the default entries like ou=People.
Think I will spend the day writing up my own notes...the RDS and FDS manuals obviously don't come down to my level.
Please consider contributing them to the Fedora DS wiki.
;]
8><-------- # PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries 8><--------
Yet I cannot find then under the FDS gui....
Try changing your identity in the console to cn=Directory Manager. Under the File menu, select the option to login as another user. Or
use
the Tasks tab - there is a button there to do the same thing.
Yes, I had the user in the wrong place because of this. When I deleted the user and re-created "people" with the "user" as a member and fixed the posix issue it worked.
Thanks for your efforts....I was going to give up today and go back to open-ldap...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more
shows,
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
8><------
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
And this shows,
[root@vuwunicvfwall02 openldap]# ldapsearch -x -b "ou=People,dc=vuw,dc=ac,dc=nz" # extended LDIF # # LDAPv3 # base <ou=People,dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
===================== So lets try the password check,
[root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxxx -s base -b "" # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: dc=vuw,dc=ac,dc=nz namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.0.4 B2006.312.435 dataversion: 020070910011125020070910011125 netscapemdsuffix: cn=ldap://dc=vuwunicvfdsm001,dc=vuw,dc=ac,dc=nz:389
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@vuwunicvfwall02 openldap]# =======================================================
Is this the expected output from a successful password check?
However,
Still no ssh or login...
and,
Regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used
to
try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place,
or
some other error.
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more
shows,
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
8><------
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
And this shows,
[root@vuwunicvfwall02 openldap]# ldapsearch -x -b "ou=People,dc=vuw,dc=ac,dc=nz" # extended LDIF # # LDAPv3 # base <ou=People,dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
===================== So lets try the password check,
[root@vuwunicvfwall02 openldap]# ldapsearch -x -D "uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" -w xxxxxx -s base -b "" # extended LDIF # # LDAPv3 # base <> with scope base # filter: (objectclass=*) # requesting: ALL #
# dn: objectClass: top namingContexts: dc=vuw,dc=ac,dc=nz namingContexts: o=NetscapeRoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.13 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.0.4 B2006.312.435 dataversion: 020070910011125020070910011125 netscapemdsuffix: cn=ldap://dc=vuwunicvfdsm001,dc=vuw,dc=ac,dc=nz:389
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@vuwunicvfwall02 openldap]# =======================================================
Is this the expected output from a successful password check?
Yes. You can also use the ldapwhoami command.
However,
Still no ssh or login...
In your nss configuration, you were using a different suffix than dc=vuw,dc=ac,dc=nz. Did you change that?
I don't know much about pam or nss configuration. I am trying to verify that Fedora DS is behaving correctly.
and,
Regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 11 September 2007 11:59 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] ssh login fail
Steven Jones wrote:
Yes I have run this before, vuw exists (see below),
By password return I assume the client is querying LDAP to ask if the user jonesst1 exists and either sends the hash of the password I used
to
try and login or asks for the hash to do a comparison if it matches a login is allowed....
I hope not. It really should do an LDAP BIND operation, which means it sends the clear text password to the server in the BIND request (for simple username/password auth).
So, try ldapsearch -x -D "uid=someuser,ou=People,dc=vuw,dc=ac,dc=nz" -w thepasssword -s base -b "" That will test to see if that user exists and that the password is correct.
I assume pam.d on the client is doing the hash comparison, so if the hash method on the client is different to FDS its not going to get anywhere.
Querying via the FDS gui shows the user so it is in the database somewhere....
So the possible errors are wrong hash or looking in the wrong place,
or
some other error.
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
8><-----
[root@vuwunicvfwall02 openldap]# more output # extended LDIF # # LDAPv3 # base <dc=vuw,dc=ac,dc=nz> with scope sub # filter: (objectclass=*) # requesting: ALL #
# vuw.ac.nz dn: dc=vuw,dc=ac,dc=nz objectClass: top objectClass: domain dc: vuw
# Directory Administrators, vuw.ac.nz dn: cn=Directory Administrators, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupofuniquenames cn: Directory Administrators
# Groups, vuw.ac.nz dn: ou=Groups, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: Groups
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
# Special Users, vuw.ac.nz dn: ou=Special Users,dc=vuw,dc=ac,dc=nz objectClass: top
8><------
# PD Managers, groups, vuw.ac.nz dn: cn=PD Managers,ou=groups,dc=vuw,dc=ac,dc=nz objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries
# search result search: 2 result: 0 Success
# numResponses: 10 # numEntries: 9
==================
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Tue, 2007-09-11 at 14:44 +1200, Steven Jones wrote:
ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more
shows,
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
8><------
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
Your account does not have any posixAccount attributes defined.
-Steve
B*gger me....
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1, ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount sn: jones cn: steven jones uidNumber: 500 gidNumber: 500 homeDirectory: /home/jonesst1 loginShell: /bin/bash
I must have had multiple issues and initially I created accounts with a posix user but later as I had re-done fully it sooo many times, I stopped bothering....not realising it could have been an issue.
SO I just setup the posix account settings (as shown above) and ssh login now works....
****slaps self repeatedly*****
So under the ssh howtos there needs to be at least some pre-requsits ie full posix setup....
Thanks....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steve Rigler Sent: Wednesday, 12 September 2007 1:44 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
On Tue, 2007-09-11 at 14:44 +1200, Steven Jones wrote:
ldapsearch -x -b "dc=vuw,dc=ac,dc=nz" |more
shows,
# People, vuw.ac.nz dn: ou=People, dc=vuw,dc=ac,dc=nz objectClass: top objectClass: organizationalunit ou: People
8><------
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People, dc=vuw,dc=ac,dc=nz uid: jonesst1 givenName: steven objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: jones cn: steven jones
Your account does not have any posixAccount attributes defined.
-Steve
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Wed, 2007-09-12 at 10:07 +1200, Steven Jones wrote:
I must have had multiple issues and initially I created accounts with a posix user but later as I had re-done fully it sooo many times, I stopped bothering....not realising it could have been an issue.
SO I just setup the posix account settings (as shown above) and ssh login now works....
****slaps self repeatedly*****
So under the ssh howtos there needs to be at least some pre-requsits ie full posix setup....
I wouldn't consider this a "ssh setup" issue. You'd probably finally plenty of helpful info googling for LDAP NIS replacement. This would translate into a setup that would work for ssh.
-Steve
Thanks, like a dictionary, google only retunrs useful stuff if you know what to look for...a bit catch 22.
Some of the docs I did read only covered ssh, and while yes it is probably a wider issue, leaving this point out of an ssh setup page is an issue...
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steve Rigler Sent: Thursday, 13 September 2007 12:17 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] ssh login fail
On Wed, 2007-09-12 at 10:07 +1200, Steven Jones wrote:
I must have had multiple issues and initially I created accounts with
a
posix user but later as I had re-done fully it sooo many times, I stopped bothering....not realising it could have been an issue.
SO I just setup the posix account settings (as shown above) and ssh login now works....
****slaps self repeatedly*****
So under the ssh howtos there needs to be at least some pre-requsits
ie
full posix setup....
I wouldn't consider this a "ssh setup" issue. You'd probably finally plenty of helpful info googling for LDAP NIS replacement. This would translate into a setup that would work for ssh.
-Steve
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
While setting up a second AS4 client I ran authconfig-gtk and started to compare the before and after ldap.conf files, only to find I could not see any differences, doing a diff proved it. I even > ldap.conf the file to zero it and authconfig-gtk did not write a thing....
So I ran authconfig instead and this correctly edited the ldap.conf and ssh worked straight off (after a sshd re-start)....
So anyone out there trying to setup a client using authconfig-gtk should probably try/stick to authconfig instead.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Anybody got some good URLs or docs?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
While following the RDS manual to make a self cert, the last command is to convert the certification database,
8><-----
9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessible by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
It then asks me for,
"Enter Password or Pin for "NSS Certificate DB":"
Which I have no idea about....the password I have been using does not work so I have no idea what this password is!
So where would I find it/set it, or am I using the wrong manual and if so what is the correct one?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Since it appears the LDAP server was stuffed, I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....so I have had to re-install again.
So this particular set of instructions,
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
breaks the setup....
So is there a set of instructions to setup a self certified SSL server?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Thursday, 13 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Setting a self ssl certificate
While following the RDS manual to make a self cert, the last command is to convert the certification database,
8><-----
9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessible by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
It then asks me for,
"Enter Password or Pin for "NSS Certificate DB":"
Which I have no idea about....the password I have been using does not work so I have no idea what this password is!
So where would I find it/set it, or am I using the wrong manual and if so what is the correct one?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
Since it appears the LDAP server was stuffed, I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....so I have had to re-install again.
So this particular set of instructions,
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
breaks the setup....
So is there a set of instructions to setup a self certified SSL server?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Thursday, 13 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Setting a self ssl certificate
While following the RDS manual to make a self cert, the last command is to convert the certification database,
8><-----
- Run pk12util to convert the certificate database to pkcs12 format,
so it is accessible by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
It then asks me for,
"Enter Password or Pin for "NSS Certificate DB":"
Which I have no idea about....the password I have been using does not work so I have no idea what this password is!
So where would I find it/set it, or am I using the wrong manual and if so what is the correct one?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Try using TinyCA2 or Webmin Certificate module to generate SSL certs...
Steven Jones wrote:
Since it appears the LDAP server was stuffed,
How so?
I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....
Any errors?
so I have had to re-install again.
So this particular set of instructions,
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
breaks the setup....
How so? Did you see this - http://directory.fedoraproject.org/wiki/Howto:SSL
The ssl.html above should mostly work, except for the NOTE under the link to ssl.html at http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
So is there a set of instructions to setup a self certified SSL server?
If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for you, try http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html which is also listed on the Howto:SSL page.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Thursday, 13 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Setting a self ssl certificate
While following the RDS manual to make a self cert, the last command is to convert the certification database,
8><-----
- Run pk12util to convert the certificate database to pkcs12 format,
so it is accessible by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
It then asks me for,
"Enter Password or Pin for "NSS Certificate DB":"
Which I have no idea about....the password I have been using does not work so I have no idea what this password is!
So where would I find it/set it, or am I using the wrong manual and if so what is the correct one?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
Since it appears the LDAP server was stuffed,
How so?
Wont start, cannot access.
I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....
Any errors?
I never looked for logs, simply re-installed FDS, I'm getting good at it.
so I have had to re-install again.
So this particular set of instructions,
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
breaks the setup....
How so?
Following the RH page seemed to trash the setup so a start/restart failed. Also trying to login to the admin server failed...I suspect replacing the two keys under alias/ broke "something".
Did you see this -
http://directory.fedoraproject.org/wiki/Howto:SSL
I found it last night while googl'ing from home after work, will work through it this morning.
The ssl.html above should mostly work, except for the NOTE under the link to ssl.html at http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
So is there a set of instructions to setup a self certified SSL
server?
If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for you, try http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html which is also listed on the Howto:SSL page.
Ditto, I found that as well.
Regards
Steven
I have written the below, if it is helpful/correct by all means place it on FDS wiki.
Debian client setup
Important notes
There would seem to be at least 2 places (if not three) containing information for ldap. In order to make Debian 4 work I have deleted 2 and sym linked. It is possible on patching Debian that these files maybe restored and LDAP authentication will no longer work.
There may well be an official method to setup Debian but I have not been able to locate one via Google.
Ldap client setup (command line method)
Move to the ldap directory and backup the ldap.conf file.
cd /etc/ldap/ ; cp ldap.conf orig-ldap.conf
add/edit /etc/ldap/ldap.conf,
=========== # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. host xxxx.195.87.249 base dc=xxxx,dc=ac,dc=nz ssl no TLS_CACERTDIR /etc/openldap/cacerts pam_password exop #pam_password md5 HOST xxx.195.87.249 BASE dc=xxxx,dc=ac,dc=nz ===========
cd /etc/ and back up pam_ldap.conf
cp /etc/pam_ldap.conf /etc/orig-pam_ldap.conf
and delete this file and link it to /etc/ldap/ldap.conf
ln -s /etc/ldap/ldap.conf /etc/pam_ldap.conf
cd /usr/share/libpam-ldap/ ; mv ldap.conf orig-ldap.conf
ln -s /etc/ldap/ldap.conf /usr/share/libpam-ldap/ldap.conf
At this point the ldapsearch tool and pam should be querying the LDAP server and this will show up in the access log.
ssh
We will start with using ssh vi LDAP,
cd /etc/ssh and more sshd_config and make sure, "UsePAM yes" is present, if not add it (should be there by default).
cd /etc/pam.d/ to set up the ssh file for pam. Add in these lines at the beginning of the file,
#allow ldap auth sufficient pam_ldap.so account sufficient pam_ldap.so session sufficient pam_ldap.so password sufficient pam_ldap.so
restart ssh with /etc/init.d/ssh restart
ssh logins should now work OK.
regards
Steven
Steven Jones wrote:
Steven Jones wrote:
Since it appears the LDAP server was stuffed,
How so?
Wont start, cannot access.
No errors? Just nothing?
I re-installed it and again followed the instructions, now I find that in attempting to re-start the server it will not....
Any errors?
I never looked for logs, simply re-installed FDS, I'm getting good at it.
It should almost never be necessary to reinstall from scratch. However, that may be the most expeditious route for you.
so I have had to re-install again.
So this particular set of instructions,
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
breaks the setup....
How so?
Following the RH page seemed to trash the setup so a start/restart failed.
If the server fails to start, it will almost always print something to the errors log file, and that will usually give a pretty good clue about why the server failed to start. Posting those log messages to this forum can be very helpful to diagnose problems. If the log excerpts are too long, paste them to pastebin.com and paste the link here.
Also trying to login to the admin server failed...I suspect replacing the two keys under alias/ broke "something".
Did you see this -
http://directory.fedoraproject.org/wiki/Howto:SSL
I found it last night while googl'ing from home after work, will work through it this morning.
The ssl.html above should mostly work, except for the NOTE under the link to ssl.html at http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
So is there a set of instructions to setup a self certified SSL
server?
If http://directory.fedoraproject.org/wiki/Howto:SSL doesn't work for you, try http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html which is also listed on the Howto:SSL page.
Ditto, I found that as well.
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Errors while following,
http://directory.fedoraproject.org/wiki/Howto:SSL
# ../shared/bin/certutil -S -n "CA certificate" -s \
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f \ pwdfile.txt
Generating key. This may take a few moments...
certutil-bin: could not obtain certificate from file: DER-encoded message contained extra unused data.
Does this mean anything?
Followed by this error,
[root@vuwunicvfdsm001 alias]# ../shared/bin/certutil -S -n "Server-Cert" -s\
"cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt
Generating key. This may take a few moments...
certutil-bin: could not find certificate named "CA certificate": security library: bad database. certutil-bin: unable to create cert (security library: bad database.) [root@vuwunicvfdsm001 alias]#
Does this mean anything?
The contents of alias/ are,
[root@vuwunicvfdsm001 alias]# ls -l total 608 -rw------- 1 nobody nobody 65536 Sep 14 09:27 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:27 admin-serv-vuwunicvfdsm001-key3.db -rw------- 1 root root 65536 Sep 14 09:46 cert8.db -rw------- 1 root root 16384 Sep 14 09:46 key3.db -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 13 15:33 secmod.db -rw------- 1 nobody nobody 65536 Sep 13 15:33 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:29 slapd-vuwunicvfdsm001-key3.db -rw-r----- 1 nobody nobody 416 Sep 14 09:27 tempcert -rw-r----- 1 nobody nobody 345 Sep 14 09:27 tempcertreq
It is possible that since I generated some keys earlier there is some "residue" that needs removing?
Secmod.db? Tempcert? Tempcertreq?
Regards
Steven
The Fedora ssl document talks about replacing instruction 7.
with its own, OK
But, do I then carry on following the RDS document? ie do 8. and 9. and if so is the syntax for 9. correct? Eg,
".....9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessbile by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
......."
Or is this bit missing from the RDS howto command as well?
"-P slapd-serverID-"
Then do I follow on with the fedora doc?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Attempting to run steps 9 and 10 I get failures,
[root@vuwunicvfdsm001 alias]# ../shared/bin/pk12util -d . -P slapd-serverID- -o cacert.pfx -n "CA certificate" Enter Password or Pin for "NSS Certificate DB": pk12util-bin: find user certs from nickname failed: security library: bad database. [root@vuwunicvfdsm001 alias]# ../shared/bin/pk12util -d . -P slapd-serverID- -o servercert.pfx -n Server-Cert Enter Password or Pin for "NSS Certificate DB": pk12util-bin: find user certs from nickname failed: security library: bad database. [root@vuwunicvfdsm001 alias]#
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Attempting to carry on I seem to have a terminal failure,
[root@vuwunicvfdsm001 alias]# ../shared/bin/certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc certutil-bin: Could not find: CA certificate : security library: bad database. [root@vuwunicvfdsm001 alias]#
So what went wrong and how is it fixed?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
[root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token:
After installing a ssl certificate I now need to enter a password every time I start it, how to negate this need?
[root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token: [root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# cd ../
[root@vuwunicvfdsm001 fedora-ds]# ./startconsole -u admin -a http://vuwunicvfdsm001.vuw.ac.nz:54200/ & [1] 3244 [root@vuwunicvfdsm001 fedora-ds]#
Regards
Steven
Steven Jones wrote:
[root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token:
After installing a ssl certificate I now need to enter a password every time I start it, how to negate this need?
1) You can use modutil to remove the password for your key/cert database: modutil -dbdir . -dbprefix slapd-serverID- -changepw 'NSS Certificate DB' Then just hit Enter for the new password. 2) You can create a pin.txt file cat > slapd-serverID-pin.txt Internal (Software) Token:thepasswordforyourkeydb ^D make sure the pin.txt file is owned by your server user (e.g. chown nobody:nobody) and is mode 0400
[root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# ./start-slapd Enter PIN for Internal (Software) Token: [root@vuwunicvfdsm001 slapd-vuwunicvfdsm001]# cd ../
[root@vuwunicvfdsm001 fedora-ds]# ./startconsole -u admin -a http://vuwunicvfdsm001.vuw.ac.nz:54200/ & [1] 3244 [root@vuwunicvfdsm001 fedora-ds]#
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
Attempting to carry on I seem to have a terminal failure,
[root@vuwunicvfdsm001 alias]# ../shared/bin/certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc certutil-bin: Could not find: CA certificate : security library: bad database. [root@vuwunicvfdsm001 alias]#
So what went wrong and how is it fixed?
It looks like step 6 failed, so you have no CA certificate.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
The Fedora ssl document talks about replacing instruction 7.
with its own, OK
But, do I then carry on following the RDS document? ie do 8. and 9. and if so is the syntax for 9. correct? Eg,
".....9. Run pk12util to convert the certificate database to pkcs12 format, so it is accessbile by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
......."
Yes. This is correct. However, this step is not really necessary, it's only used in order to backup your newly generated private key material in a portable format. This step is not needed in order to activate SSL in the server.
The setupssl.sh script http://directory.fedoraproject.org/wiki/Howto:SSL#Script does this: pk12util -d $secdir $prefixarg -o $secdir/adminserver.p12 -n server-cert -w $secdir/pwdfile.txt -k $secdir/pwdfile.txt There are two passwords. -w is the password used to encrypt the key material in the pk12 file. -k is the password for your key database, from where the private key is extracted. So you could do something like this (assuming you created a file pwdfile.txt with your password): pk12util -d . -o cert.pk12 -n Server-Cert -w pwdfile.txt -k pwdfile.txt This also assumes you use the same password for your key database as to encrypt your pk12 file.
Or is this bit missing from the RDS howto command as well?
"-P slapd-serverID-"
Then do I follow on with the fedora doc?
You can use or omit the -P slapd-serverID- step 8 does this: mv key3.db slapd-server-key3.db mv cert8.db slapd-server-cert8.db ln -s slapd-server-key3.db key3.db ln -s slapd-server-cert8.db cert8.db
So you have both cert8.db and slapd-server-cert8.db which refer to the same file. So you can specify -P or omit it, it should not matter.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
Errors while following,
http://directory.fedoraproject.org/wiki/Howto:SSL
# ../shared/bin/certutil -S -n "CA certificate" -s \
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f \ pwdfile.txt
Generating key. This may take a few moments...
certutil-bin: could not obtain certificate from file: DER-encoded message contained extra unused data.
I've never seen this error message before. I'm not sure what it means. Do you have a cert8.db and a key3.db in this directory? They should have been created by a previous step.
Does this mean anything?
Followed by this error,
[root@vuwunicvfdsm001 alias]# ../shared/bin/certutil -S -n "Server-Cert" -s\
"cn=vuw.ac.nz" -c "CA certificate" -t "u,u,u" -m 1001 -v \ 120 -d . -z noise.txt -f pwdfile.txt
Generating key. This may take a few moments...
certutil-bin: could not find certificate named "CA certificate": security library: bad database. certutil-bin: unable to create cert (security library: bad database.) [root@vuwunicvfdsm001 alias]#
Does this mean anything?
It means the previous step failed, and you cannot continue until it is resolved.
The contents of alias/ are,
[root@vuwunicvfdsm001 alias]# ls -l total 608 -rw------- 1 nobody nobody 65536 Sep 14 09:27 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:27 admin-serv-vuwunicvfdsm001-key3.db -rw------- 1 root root 65536 Sep 14 09:46 cert8.db -rw------- 1 root root 16384 Sep 14 09:46 key3.db -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 13 15:33 secmod.db -rw------- 1 nobody nobody 65536 Sep 13 15:33 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 09:29 slapd-vuwunicvfdsm001-key3.db -rw-r----- 1 nobody nobody 416 Sep 14 09:27 tempcert -rw-r----- 1 nobody nobody 345 Sep 14 09:27 tempcertreq
It is possible that since I generated some keys earlier there is some "residue" that needs removing?
That's possible. Did you already have a CA certificate?
Secmod.db?
Generated automatically by NSS if it doesn't exist.
Tempcert? Tempcertreq?
Not sure what these are.
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I deleted the previous files and re-started, looks like the previous attempts had indeed left files to cause issues.
8><----
That's possible. Did you already have a CA certificate?
Secmod.db?
Generated automatically by NSS if it doesn't exist.
Tempcert? Tempcertreq?
Regards
Steven
While testing a RHAS4 client the logs seems to indicate ssl is working as I get startTLS in the access log.
When I do a ssh connection though I do not see startTLS in the access log, so is this actually working correctly?
ldapsearch -x -ZZ '(uid=jonesst1)'
Output on the client will typically be,
================ # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL #
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
==========
Cannot see startTLS in this part though when ssh'ing in,
==========
[14/Sep/2007:13:10:26 +1200] conn=44 fd=67 slot=67 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:13:10:26 +1200] conn=44 op=0 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=44 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [14/Sep/2007:13:10:26 +1200] conn=44 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:13:10:26 +1200] conn=44 op=2 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=44 op=3 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [14/Sep/2007:13:10:26 +1200] conn=44 op=4 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=44 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=45 fd=68 slot=68 connection from 130.195.87.250 to 130.195.87.249 [14/Sep/2007:13:10:26 +1200] conn=45 op=0 BIND dn="" method=128 version=3 [14/Sep/2007:13:10:26 +1200] conn=45 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [14/Sep/2007:13:10:26 +1200] conn=45 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [14/Sep/2007:13:10:26 +1200] conn=45 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [14/Sep/2007:13:10:26 +1200] conn=45 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=jonesst1)(uniqueMember=ui d=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz)))" attrs="gidNumber" [14/Sep/2007:13:10:26 +1200] conn=45 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [14/Sep/2007:13:10:26 +1200] conn=44 op=5 UNBIND [14/Sep/2007:13:10:26 +1200] conn=44 op=5 fd=67 closed - U1
==========
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
Regards
Steven
Steven Jones wrote:
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN of the directory server machine. Or, the server cert has a subject DN like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or whatever it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse DNS lookup on the server's IP address does not resolve to foo.example.com
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I checked DNS and it was indeed broken, but I am connecting to the IP,
Fixing DNS still sees the same error on Debian.
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl
Steven Jones wrote:
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN of the directory server machine. Or, the server cert has a subject DN like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or whatever it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse DNS lookup on the server's IP address does not resolve to foo.example.com
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
I checked DNS and it was indeed broken, but I am connecting to the IP,
Fixing DNS still sees the same error on Debian.
Try -d 1 or -v arguments to ldapsearch
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl
Steven Jones wrote:
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN of the directory server machine. Or, the server cert has a subject DN like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or whatever it says in the /etc/nsswitch.conf file) foo.example.com, or the reverse DNS lookup on the server's IP address does not resolve to foo.example.com
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This looks broken?,
8><------
TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818
8><------
I tried cp'ing the file on the fds server,
cp /opt/fedora-ds/alias/cacert.asc cacert.asc
and changing the debian's client ldap.conf to,
#TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc
But no joy....
========================
vuwunicvdebian1:/etc/ldap# ldapsearch -d 1 -x -ZZ '(uid=jonesst1)' ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 130.195.87.249:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.195.87.249:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057e30 msgid 1 ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL wait4msg ld 0x8057e30 msgid 1 (infinite timeout) wait4msg continue ld 0x8057e30 msgid 1 all 1 ** ld 0x8057e30 Connections: * host: 130.195.87.249 port: 389 (default) refcnt: 2 status: Connected last used: Fri Sep 14 14:32:25 2007
** ld 0x8057e30 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057e30 Response Queue: Empty ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL ldap_int_select read1msg: ld 0x8057e30 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: read1msg: ld 0x8057e30 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057e30 0 new referrals read1msg: mark request completed, ld 0x8057e30 msgid 1 request done: ld 0x8057e30 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL.
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 2:29 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl
Steven Jones wrote:
I checked DNS and it was indeed broken, but I am connecting to the IP,
Fixing DNS still sees the same error on Debian.
Try -d 1 or -v arguments to ldapsearch
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
Richard
Megginson Sent: Friday, 14 September 2007 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for
ssl
Steven Jones wrote:
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN
of the directory server machine. Or, the server cert has a subject DN
like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or
whatever
it says in the /etc/nsswitch.conf file) foo.example.com, or the
reverse
DNS lookup on the server's IP address does not resolve to foo.example.com
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Is there a way to force clients to only connect via ssl?
regards
Steven
Steven Jones wrote:
Is there a way to force clients to only connect via ssl?
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
8><----
Uh.....this means not a thing....where and how is it set?
On the server? Client? Ie What and where is dse.ldif?
Steven Jones wrote: Is there a way to force clients to only connect via ssl?
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
8><----
regards
Steven
I seem unable to get this to work in anything but simple mode.....
Here is my ldap.conf for RHAS4,
URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow
Trying "ssl on" breaks ssh
So has anyone got an example ldap.conf?
Since Debian also wont ssl, it is possible the server is the issue.....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 10:20 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Setting up clients for ssl only?
8><----
Uh.....this means not a thing....where and how is it set?
On the server? Client? Ie What and where is dse.ldif?
Steven Jones wrote: Is there a way to force clients to only connect via ssl?
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
8><----
regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Reading through the http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html document....
8><--------- 3.3 Binding Linux/Unix Machines to LDAPs
First of all for your client LDAP machine to connect via LDAPs you need to have the Certificate Authority file installed on your client which was generated for the Directory Server to allow it to recognize that the SSL connection is valid. 8><---------
So I have all these choices....
[root@vuwunicvfdsm001 cacerts]# cd /opt/fedora-ds/alias [root@vuwunicvfdsm001 alias]# ls -l total 640 -rw-r--r-- 1 nobody nobody 193 Sep 14 11:31 addRSA.ldif -rw------- 1 nobody nobody 16384 Sep 13 15:33 admin-serv-secmod.db -rw------- 1 nobody nobody 65536 Sep 14 11:19 admin-serv-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:19 admin-serv-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 619 Sep 14 11:13 cacert.asc -rw------- 1 nobody nobody 1554 Sep 14 11:10 cacert.pfx -rwxr-xr-x 1 nobody nobody 239744 Nov 8 2006 libnssckbi.so -rw-r--r-- 1 nobody nobody 62 Sep 14 09:44 noise.txt -rw------- 1 nobody nobody 65536 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 13 15:43 orig-slapd-vuwunicvfdsm001-key3.db -rw-r--r-- 1 nobody nobody 9 Sep 13 15:43 pwdfile.txt -rw------- 1 nobody nobody 16384 Sep 14 13:37 secmod.db -rw------- 1 nobody nobody 2044 Sep 14 11:11 servercert.pfx -rw------- 1 nobody nobody 65536 Sep 14 10:29 slapd-serverID-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 10:29 slapd-serverID-key3.db -rw-r--r-- 1 nobody nobody 0 Sep 14 13:35 slapd-serverID-pin.txt -rw------- 1 nobody nobody 65536 Sep 14 11:11 slapd-vuwunicvfdsm001-cert8.db -rw------- 1 nobody nobody 16384 Sep 14 11:11 slapd-vuwunicvfdsm001-key3.db -r-------- 1 nobody nobody 35 Sep 14 13:36 slapd-vuwunicvfdsm001-pin.txt -rw-r--r-- 1 nobody nobody 693 Sep 14 11:23 ssl_enable.ldif
So is this the file I am meant to copy over?
-rw-r--r-- 1 root root 619 Sep 17 16:27 5be5959f.0 -rw-r--r-- 1 root root 619 Sep 17 16:27 cacert.asc
[root@vuwunicvfwall02 cacerts]# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root@vuwunicvfwall02 cacerts]# pwd /etc/openldap/cacerts [root@vuwunicvfwall02 cacerts]#
If so it is failing, but at least it appears it is consistant with the Debian client which also has a -11 error....at least I think so.....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 3:01 p.m. To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] rhas4 Setting up clients for ssl only?
I seem unable to get this to work in anything but simple mode.....
Here is my ldap.conf for RHAS4,
URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow
Trying "ssl on" breaks ssh
So has anyone got an example ldap.conf?
Since Debian also wont ssl, it is possible the server is the issue.....
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Steven Jones Sent: Monday, 17 September 2007 10:20 a.m. To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Setting up clients for ssl only?
8><----
Uh.....this means not a thing....where and how is it set?
On the server? Client? Ie What and where is dse.ldif?
Steven Jones wrote: Is there a way to force clients to only connect via ssl?
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
8><----
regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
8><----
Uh.....this means not a thing....where and how is it set?
On the server? Client? Ie What and where is dse.ldif?
Sorry, I assumed a level of familiarity with the product that I should not have.
The file /opt/fedora-ds/slapd-instance/config/dse.ldif is the main server configuration file. This file is in LDIF format. The configuration is broken up into LDIF/LDAP entries. Each entry begins with a line like this: dn: <entry DN> Where <entry DN> is the distinguished name (DN) of the configuration entry. Each entry ends with a blank line (e.g. in perl this matches /^$/). The main configuration entry is cn=config - it begins in the file dse.ldif with the line dn: cn=config In this entry is an attribute named nsslapd-port which by default has a value of 389 e.g. nsslapd-port: 389 Some default values are not written to dse.ldif. This one might not be, not sure.
If you set this value to 0, the server will not listen for non-secure connections. In order to change this value, you must first shutdown the server. Then, using a text editor, edit the file, and change 389 to 0. If the attribute is not present in the entry, add it as the last line in the entry - make sure there are no empty lines before this one, and make sure there is a single empty line after it, before the start of the next entry.
Finally, I'll note that in one of your previous configurations that you posted, you have set it to use start_tls. If you want to use LDAP startTLS, _you must use the non-secure LDAP port_. Which means you cannot set it to 0. Fedora DS currently has no way to force all connections to first use the startTLS command. So if you use startTLS, there is no way to force all connections to use TLS/SSL.
Steven Jones wrote: Is there a way to force clients to only connect via ssl?
You can set the nsslapd-port attribute in cn=config in dse.ldif to 0.
8><----
regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Steven Jones wrote:
This looks broken?,
8><------
TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818
8><------
I tried cp'ing the file on the fds server,
cp /opt/fedora-ds/alias/cacert.asc cacert.asc
and changing the debian's client ldap.conf to,
#TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc
But no joy....
========================
vuwunicvdebian1:/etc/ldap# ldapsearch -d 1 -x -ZZ '(uid=jonesst1)' ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 130.195.87.249:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.195.87.249:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057e30 msgid 1 ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL wait4msg ld 0x8057e30 msgid 1 (infinite timeout) wait4msg continue ld 0x8057e30 msgid 1 all 1 ** ld 0x8057e30 Connections:
- host: 130.195.87.249 port: 389 (default) refcnt: 2 status: Connected last used: Fri Sep 14 14:32:25 2007
** ld 0x8057e30 Outstanding Requests:
- msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0
** ld 0x8057e30 Response Queue: Empty ldap_chkResponseList ld 0x8057e30 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057e30 NULL ldap_int_select read1msg: ld 0x8057e30 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 95 contents: read1msg: ld 0x8057e30 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057e30 0 new referrals read1msg: mark request completed, ld 0x8057e30 msgid 1 request done: ld 0x8057e30 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: could not load client CA list (file:`',dir:`/etc/openldap/cacerts/'). TLS: error:0200A002:system library:opendir:No such file or directory ssl_cert.c:816 TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib ssl_cert.c:818 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL.
I'm not sure. It says "No such file or directory" - permissions? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Friday, 14 September 2007 2:29 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl
Steven Jones wrote:
I checked DNS and it was indeed broken, but I am connecting to the IP,
Fixing DNS still sees the same error on Debian.
Try -d 1 or -v arguments to ldapsearch
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
Richard
Megginson Sent: Friday, 14 September 2007 1:35 p.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for
ssl
Steven Jones wrote:
Is this correct/expected?
vuwunicvdebian1:/etc/ldap# ldapsearch -x -ZZ '(uid=jonesst1)' ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL. vuwunicvdebian1:/etc/ldap#
On the server I check check the access log for "startTLS" and see it,
[14/Sep/2007:13:08:08 +1200] conn=39 fd=67 slot=67 connection from 130.195.87.235 to 130.195.87.249 [14/Sep/2007:13:08:08 +1200] conn=39 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [14/Sep/2007:13:08:08 +1200] conn=39 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [14/Sep/2007:13:08:08 +1200] conn=39 op=-1 fd=67 closed - Encountered end of file.
But the "Connect error (-11)" concerns me.
I think this can happen if the server cert does not have a subject DN that starts with cn=foo.example.com, where foo.example.com is the FQDN
of the directory server machine. Or, the server cert has a subject DN
like this: cn=foo.example.com,.... and the client either cannot resolve (via DNS or /etc/hosts or
whatever
it says in the /etc/nsswitch.conf file) foo.example.com, or the
reverse
DNS lookup on the server's IP address does not resolve to foo.example.com
Regards
Steven
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
8><----
I'm not sure. It says "No such file or directory" - permissions? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
8><----
I tried changing permissions,
[root@vuwunicvfdsm001 openldap]# ls -l total 16 drwxrwxrwx 2 root root 4096 Sep 14 14:38 cacerts -rw-r--r-- 1 root root 320 Aug 24 10:56 ldap.conf [root@vuwunicvfdsm001 openldap]# ls -l cacerts/ total 8 -rw-r--r-- 1 nobody nobody 619 Sep 14 12:49 5be5959f.0 -rw-r--r-- 1 nobody nobody 619 Sep 14 14:38 cacert.asc [root@vuwunicvfdsm001 openldap]#
no joy,
8><---- TLS: could not load verify locations (file:`/etc/openldap/cacerts/5be5959f.0',dir:`/etc/openldap/cacerts/'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:122 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:125 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL.
Steven Jones wrote:
8><----
I'm not sure. It says "No such file or directory" - permissions? http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
8><----
I tried changing permissions,
[root@vuwunicvfdsm001 openldap]# ls -l total 16 drwxrwxrwx 2 root root 4096 Sep 14 14:38 cacerts -rw-r--r-- 1 root root 320 Aug 24 10:56 ldap.conf [root@vuwunicvfdsm001 openldap]# ls -l cacerts/ total 8 -rw-r--r-- 1 nobody nobody 619 Sep 14 12:49 5be5959f.0 -rw-r--r-- 1 nobody nobody 619 Sep 14 14:38 cacert.asc [root@vuwunicvfdsm001 openldap]#
no joy,
8><---- TLS: could not load verify locations (file:`/etc/openldap/cacerts/5be5959f.0',dir:`/etc/openldap/cacerts/'). TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:122 TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:125 TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib by_file.c:274 ldap_perror ldap_start_tls: Connect error (-11) additional info: Start TLS request accepted.Server willing to negotiate SSL.
I've had trouble getting TLS_CACERTDIR to work on some platforms. To be safe, I would use TLS_CACERT instead.
http://directory.fedoraproject.org/wiki/Howto:SSL#Configure_LDAP_clients
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This is my pam_ldap.conf,
I seem unable to get ssl to work....what am I missing?
I also need to set ssl only so no plain text passwords are sent...
#file copied from openldap syntax might have issues but seems to work. #but not in ssl mode # # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable. host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no # this syntax does not work --> ssl on ssl yes ssl start_tls pam_password exop #pam_password md5 HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 TLS_REQCERT allow #syntax not liked --> uri ldapi://130.195.87.249 URI ldap://ldap.vuw.ac.nz
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones wrote:
This is my pam_ldap.conf,
I seem unable to get ssl to work....what am I missing?
I also need to set ssl only so no plain text passwords are sent...
#file copied from openldap syntax might have issues but seems to work. #but not in ssl mode # # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable. host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no # this syntax does not work --> ssl on ssl yes ssl start_tls pam_password exop #pam_password md5 HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 TLS_REQCERT allow #syntax not liked --> uri ldapi://130.195.87.249 URI ldap://ldap.vuw.ac.nz
To rule out cert CA issues, set TLS_REQCERT to never.
I don't think you can specify both TLS_CACERTDIR and TLS_CACERT - or maybe you can, but I always have problems when trying to use TLS_CACERTDIR
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
My /etc/ldap.conf now looks like this,
# http://www.padl.com URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/ca.crt #TLS_REQCERT allow TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls
When I do,
[root@vuwunicvfwall01 etc]# ldapsearch -x -ZZ '(uid=jonesst1)' # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=jonesst1) # requesting: ALL #
# jonesst1, People, vuw.ac.nz dn: uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz givenName: Steven sn: Jones loginShell: /bin/bash uidNumber: 500 gidNumber: 500 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: jonesst1 cn: Steven Jones homeDirectory: /home/jonesst1
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@vuwunicvfwall01 etc]#
Log file shows,
[root@vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:05:46:37 +1200] conn=2326 fd=70 slot=70 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:46:37 +1200] conn=2326 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:46:37 +1200] conn=2326 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:46:37 +1200] conn=2326 SSL 256-bit AES [18/Sep/2007:05:46:37 +1200] conn=2326 op=1 BIND dn="" method=128 version=3 [18/Sep/2007:05:46:37 +1200] conn=2326 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:46:37 +1200] conn=2326 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [18/Sep/2007:05:46:37 +1200] conn=2326 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2007:05:46:37 +1200] conn=2326 op=3 UNBIND [18/Sep/2007:05:46:37 +1200] conn=2326 op=3 fd=70 closed - U1
However ssh no longer works.
The access log shows (it has "startTLS", which I guess is good),
[18/Sep/2007:05:49:27 +1200] conn=2327 op=-1 fd=70 closed - Encountered end of file. [18/Sep/2007:05:49:52 +1200] conn=2328 fd=70 slot=70 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:49:52 +1200] conn=2328 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:49:52 +1200] conn=2328 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 fd=71 slot=71 connection from 127.0.0.1 to 127.0.0.1 [18/Sep/2007:05:50:00 +1200] conn=2329 op=0 BIND dn="" method=128 version=3 [18/Sep/2007:05:50:00 +1200] conn=2329 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:50:00 +1200] conn=2329 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL [18/Sep/2007:05:50:00 +1200] conn=2329 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 op=2 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [18/Sep/2007:05:50:00 +1200] conn=2329 op=2 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:00 +1200] conn=2329 op=-1 fd=71 closed - B1 [18/Sep/2007:05:50:01 +1200] conn=2330 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:05:50:01 +1200] conn=2330 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:05:50:01 +1200] conn=2330 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2330 op=-1 fd=71 closed - Encountered end of file. [18/Sep/2007:05:50:01 +1200] conn=2331 fd=71 slot=71 connection from 130.195.87.246 to 130.195.87.249 [18/Sep/2007:05:50:01 +1200] conn=2331 op=0 BIND dn="" method=128 version=3 [18/Sep/2007:05:50:01 +1200] conn=2331 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:05:50:01 +1200] conn=2331 op=1 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=root))" attrs=ALL [18/Sep/2007:05:50:01 +1200] conn=2331 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2331 op=2 SRCH base="ou=Groups,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber" [18/Sep/2007:05:50:01 +1200] conn=2331 op=2 RESULT err=32 tag=101 nentries=0 etime=0 [18/Sep/2007:05:50:01 +1200] conn=2331 op=-1 fd=71 closed - B1
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Tuesday, 18 September 2007 2:01 a.m. To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Setting up a Debian client for ssl
Steven Jones wrote:
This is my pam_ldap.conf,
I seem unable to get ssl to work....what am I missing?
I also need to set ssl only so no plain text passwords are sent...
#file copied from openldap syntax might have issues but seems to work. #but not in ssl mode # # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable. host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no # this syntax does not work --> ssl on ssl yes ssl start_tls pam_password exop #pam_password md5 HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #nss_base_passwd ou=People,dc=vuw,dc=ac,dc=nz #nss_base_shadow ou=People,dc=vuw,dc=ac,dc=nz TLS_CACERTDIR /etc/openldap/cacerts/ TLS_CACERT /etc/openldap/cacerts/cacert.asc #TLS_CACERT /etc/openldap/cacerts/5be5959f.0 TLS_REQCERT allow #syntax not liked --> uri ldapi://130.195.87.249 URI ldap://ldap.vuw.ac.nz
To rule out cert CA issues, set TLS_REQCERT to never.
I don't think you can specify both TLS_CACERTDIR and TLS_CACERT - or maybe you can, but I always have problems when trying to use TLS_CACERTDIR
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hi,
Please ignore the previous post I will go shoot myself....
I was testing with two clients and had the ca.crt on one but was working on the other, so it is not surprising it did not work....
Doh.....
So once I scp'd over the file, both rhas4 clients work....
Doh.....
My final /etc/ldap.conf looks like this,
# http://www.padl.com URI ldap://ldap.vuw.ac.nz #host 130.195.87.249 base dc=vuw,dc=ac,dc=nz #ssl no #ssl on pam_password md5 #HOST 130.195.87.249 BASE dc=vuw,dc=ac,dc=nz #tls_cacertdir /etc/openldap/cacerts tls_cacertfile /etc/openldap/cacerts/ca.crt TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls
The access log shows this while doing a ssh into the (LDAP) client,
[root@vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:06:15:14 +1200] conn=2370 op=-1 fd=74 closed - B1 [18/Sep/2007:06:15:18 +1200] conn=2376 fd=71 slot=71 connection from 130.195.87.250 to 130.195.87.249 [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:06:15:18 +1200] conn=2376 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:06:15:18 +1200] conn=2376 SSL 256-bit AES
8><---------
So this is now all correct?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
I have almost have a debian client working but it has a small error, the first login fails but the second succeeds....
/etc/pam_ldap.conf looks like this,
# LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable. #pam_password exop BASE dc=vuw,dc=ac,dc=nz #URI ldap://ldap.vuw.ac.nz base dc=vuw,dc=ac,dc=nz #ssl no ssl on pam_password md5 BASE dc=vuw,dc=ac,dc=nz tls_cacertfile /etc/ssl/certs/ldap/ca.crt TLS_REQCERT allow #TLS_REQCERT never host ldap.vuw.ac.nz ssl start_tls
log output for ssh connections has "startTLS",
[root@vuwunicvfdsm001 logs]# > access [root@vuwunicvfdsm001 logs]# tail -f access [18/Sep/2007:07:19:26 +1200] conn=2409 fd=71 slot=71 connection from 130.195.87.235 to 130.195.87.249 [18/Sep/2007:07:19:26 +1200] conn=2409 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Sep/2007:07:19:26 +1200] conn=2409 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Sep/2007:07:19:26 +1200] conn=2409 SSL 256-bit AES [18/Sep/2007:07:19:30 +1200] conn=2409 op=2 BIND dn="" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:07:19:30 +1200] conn=2409 op=3 SRCH base="dc=vuw,dc=ac,dc=nz" scope=2 filter="(uid=jonesst1)" attrs=ALL [18/Sep/2007:07:19:30 +1200] conn=2409 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [18/Sep/2007:07:19:30 +1200] conn=2409 op=4 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [18/Sep/2007:07:19:30 +1200] conn=2409 op=5 BIND dn="" method=128 version=3 [18/Sep/2007:07:19:30 +1200] conn=2409 op=5 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Sep/2007:07:19:30 +1200] conn=2409 op=6 UNBIND [18/Sep/2007:07:19:30 +1200] conn=2409 op=6 fd=71 closed - U1
So I just need to figure out why the first attempt fails but the second succeeds.
Regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
Steven Jones wrote:
While following the RDS manual to make a self cert, the last command is to convert the certification database,
8><-----
- Run pk12util to convert the certificate database to pkcs12 format,
so it is accessible by the Directory Server:
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n Server-Cert
It then asks me for,
"Enter Password or Pin for "NSS Certificate DB":"
Which I have no idea about....the password I have been using does not work so I have no idea what this password is!
Did you create a pin.txt file? Note that this is the same pin/password you will have to provide in order to start the directory server in SSL mode.
You can skip this step. This step is just to allow you to backup your private key material in a portable format.
So where would I find it/set it, or am I using the wrong manual and if so what is the correct one?
regards
Steven Jones Senior Linux/Unix/San/Vmware System Administrator APG -Technology Integration Team Victoria University of Wellington Phone: +64 4 463 6272
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
I seem to have been able to stop the err=32 by reconfiguring ldap.conf a bit and cleaning out FDS and I assume putting the user in the right place but still no login.
[11/Sep/2007:16:21:47 +1200] conn=30 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=1 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:47 +1200] conn=30 op=2 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=3 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=5 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=5 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=7 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=7 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=9 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=9 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=11 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=11 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:58 +1200] conn=30 op=13 UNBIND [11/Sep/2007:16:21:58 +1200] conn=30 op=13 fd=78 closed - U1 [11/Sep/2007:16:22:46 +1200] conn=31 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [11/Sep/2007:16:22:46 +1200] conn=31 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:46 +1200] conn=31 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:46 +1200] conn=31 op=2 UNBIND [11/Sep/2007:16:22:46 +1200] conn=31 op=2 fd=78 closed - U1 [11/Sep/2007:16:22:52 +1200] conn=32 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:22:52 +1200] conn=32 op=1 SRCH base="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:52 +1200] conn=32 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:52 +1200] conn=32 op=2 UNBIND [11/Sep/2007:16:22:52 +1200] conn=32 op=2 fd=78 closed - U1
Steven Jones wrote:
looking in the wrong place would be my guess, based on the err=32 in the
previous logs you posted.
I seem to have been able to stop the err=32 by reconfiguring ldap.conf a bit and cleaning out FDS and I assume putting the user in the right place but still no login.
[11/Sep/2007:16:21:47 +1200] conn=30 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=1 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=1 RESULT err=0 tag=101 nentries=0 etime=0
The clue here is that err=0 but nentries=0. This to me indicates some sort of ACI problem. If you ran the setup program, and you specified dc=vuw,dc=ac,dc=nz as your suffix, setup should have added an ACI which would allow this search to return entries. This, coupled with the fact that you cannot view these entries using the console (assuming you meant while logged in as the admin user), suggests that you added this data after setup and that you did not specify dc=vuw,dc=ac,dc=nz as your suffix. If you want to see what the suggested ACIs are, you should be able to view the ACIs that were added to the suffix that you did specify when you ran setup. The console will show you the ACIs. If you want to see what they are without using the console, you can use ldapsearch e.g.
ldapsearch -x -D "cn=directory manager" -w password -b "dc=vuw,dc=ac,dc=nz" "aci=*" aci
[11/Sep/2007:16:21:47 +1200] conn=30 op=2 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:47 +1200] conn=30 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:47 +1200] conn=30 op=3 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:47 +1200] conn=30 op=3 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=5 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=5 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:51 +1200] conn=30 op=6 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:51 +1200] conn=30 op=7 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:51 +1200] conn=30 op=7 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=8 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=9 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=9 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 BIND dn="" method=128 version=3 [11/Sep/2007:16:21:56 +1200] conn=30 op=10 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:21:56 +1200] conn=30 op=11 SRCH base="ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(&(objectClass=posixAccount)(uid=jonesst1))" attrs=ALL [11/Sep/2007:16:21:56 +1200] conn=30 op=11 RESULT err=0 tag=101 nentries=0 etime=0 [11/Sep/2007:16:21:58 +1200] conn=30 op=13 UNBIND [11/Sep/2007:16:21:58 +1200] conn=30 op=13 fd=78 closed - U1 [11/Sep/2007:16:22:46 +1200] conn=31 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 BIND dn="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" method=128 version=3 [11/Sep/2007:16:22:46 +1200] conn=31 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jonesst1,ou=people,dc=vuw,dc=ac,dc=nz" [11/Sep/2007:16:22:46 +1200] conn=31 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:46 +1200] conn=31 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:46 +1200] conn=31 op=2 UNBIND [11/Sep/2007:16:22:46 +1200] conn=31 op=2 fd=78 closed - U1 [11/Sep/2007:16:22:52 +1200] conn=32 fd=78 slot=78 connection from 130.195.87.246 to 130.195.87.249 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 BIND dn="" method=128 version=3 [11/Sep/2007:16:22:52 +1200] conn=32 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [11/Sep/2007:16:22:52 +1200] conn=32 op=1 SRCH base="uid=jonesst1,ou=People,dc=vuw,dc=ac,dc=nz" scope=2 filter="(objectClass=*)" attrs=ALL [11/Sep/2007:16:22:52 +1200] conn=32 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [11/Sep/2007:16:22:52 +1200] conn=32 op=2 UNBIND [11/Sep/2007:16:22:52 +1200] conn=32 op=2 fd=78 closed - U1
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org