LDAP/SSL authentication in FC2

Harry Hoffman hhoffman at ip-solutions.net
Tue Sep 28 21:19:37 UTC 2004 

Hi All,

I've done this before under Redhat but am having the damndest time with FC2.

My LDAP server is a FC1 box with OpenLDAP/TLS (stock standard from the 
distro).
I believe I have everything setup properly. I can use "getent passwd" 
from the client machine and see all of the passwd entries on the ldap 
server.

In addition I can properly bind (using ldapsearch) as the user I'm 
attempting to ssh into the client as.

When I try to ssh in I get the following log errors:
Sep 26 23:16:17 mason sshd[21438]: Illegal user user from 
::ffff:192.168.4.65
Sep 26 23:16:20 mason sshd[21438]: Failed password for illegal user user 
from ::ffff:192.168.4.65 port 33553 ssh2

Any help would be greatly appreciated

Thanks,
Harry



The typical user entry looks something like this:

dn: uid=user,ou=People,dc=domain,dc=tld
uid: user
cn: User
sn: User
mail: user at domain
mailRoutingAddress: user at domain
mailHost: smtp.fqdn
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
userPassword:: XXX
shadowLastChange: 12523
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/user
mailLocalAddress: user at xxx.xxx
host: ldap.client.fqdn

The server certificate is a self created CA with the proper certs on 
both server and client.

The clients ldap.conf looks like:
uri ldaps://ldap.domain.tld/
scope sub
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_login_attribute uid
pam_check_host_attr yes
nss_base_passwd ou=People,dc=domain,dc=tld?one
nss_base_shadow ou=People,dc=domain,dc=tld?one
nss_base_group          ou=Group,dc=domain,dc=tld?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/share/ssl/certs/ip-solutions.crt
pam_password md5

/etc/pam.d/sshd looks like this:
#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       sufficient    /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

/etc/nsswitch.conf looks like this:
passwd:     ldap [NOTFOUND=return] files
shadow:     ldap [NOTFOUND=return] files
group:       ldap [NOTFOUND=return]  files

More information about the users mailing list