[Fedora-directory-users] Problems with SSL, Pam/SSHD Authentication & FDS

Dave Della Costa dellacod at newschool.edu
Thu Nov 9 18:50:40 UTC 2006 

> Did you edit /etc/ssh/sshd_config and set
> UsePAM yes
> ?

Yes, perhaps I wasn't clear when I said

>> When I turn it back off, it binds to the regular (non-SSL) LDAP port
>> on the FDS server and authentication happens just fine.

--I meant by this that logging in via SSH Authentication by LDAP
credentials is fine if I don't have SSL-enabled LDAP on.

Thanks,
Dave


Richard Megginson wrote:
> Dave Della Costa wrote:
> 
>> Hi folks,
>>
>> This isn't strictly a FDS question (I think!) but I'm hoping there are 
>> some people on the list who have significant experience and can offer 
>> advice.
>>
>> I've gotten FDS set up, I've generated the cert and imported it into 
>> my client machine's /etc/openldap/cacerts directory.  When I run
>>
>> ldapsearch -ZZ
>>
>> ..on the client machine it works fine; this wasn't working correctly 
>> until I did a few tweaks in my /etc/openldap/ldap.conf directory 
>> (specifically, I had an IP address instead of hostname, so I was 
>> getting a 'host doesn't match cert' or something like that error).
>>
>> So, it seems like SSL is set up and working fine, BUT, I cannot do 
>> sshd authentication via SSL.  As soon as I uncomment 'ssl on' I start 
>> getting this in my /var/log/messages:
>>
>> Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can't contact LDAP server
>> Nov  9 12:46:47 a last message repeated 3 times
>> Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
>> 4 seconds)...
>> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can't contact LDAP server
>> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can't contact LDAP server
>> Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
>> 8 seconds)...
>>
>> When I turn it back off, it binds to the regular (non-SSL) LDAP port 
>> on the FDS server and authentication happens just fine.
>>
>> Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
>> ldap://x.x.com after 1 attempt
>> Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
>> Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for 
>> blap from x.x.x.x port 48049 ssh2
>> Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap 
>> by (uid=0)
>> Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
>> ldap://x.x.com after 1 attempt
>>
>> (if you hadn't noticed, I changed all the IPs and hostnames in the 
>> above log examples...).
>>
>> What the heck could this be?  I'm not sure what the proper options in 
>> the /etc/ldap.conf are that perhaps I'm screwing up or forgetting, but 
>> so far I've tried (in addition to 'ssl on') setting sslpath, "ssl 
>> start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
>> screwed up in my /etc/openldap/ldap.conf?  I'm using the howto here: 
>> http://directory.fedora.redhat.com/wiki/Howto:SSL
> 
> Did you edit /etc/ssh/sshd_config and set
> UsePAM yes
> ?
> 
>>
>> Any help would be greatly appreciated.  Thanks!
>>
>> Dave D.
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the 389-users mailing list