Brian Zuromski
2007-Apr-08 05:07 UTC
RE: [Fedora-directory-users] TLS issues during screen lock
Rich, No, I''m not using client based auth with this setup. I am sharing out the server certificate to the network client. Date: Tue, 10 Apr 2007 08:35:00 -0700 From: Rich Megginson <rmeggins@redhat.com> Subject: Re: [Fedora-directory-users] TLS issues during screen lock To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@redhat.com> Message-ID: <461BAEA4.5080708@redhat.com> Content-Type: text/plain; charset="iso-8859-1" Brian Zuromski wrote:> > Hello, > > I''m having an issue with TLS certificates. On the client > > side, it seems that when I have TLS enabled it works fine. When I > > screen lock the computer, I have to disable TLS to get back in. Has > > anyone else experienced this before? >Are you using client cert based auth?> > > > Thanks, > > >-- -- Brian R. Z
Brian Zuromski
2007-Apr-09 14:17 UTC
Re: [Fedora-directory-users] TLS issues during screen lock
Ashley, Thanks for the reply. I figured it out by doing a `ldapsearch -ZZ -d 1 -b "" -s base -x` and saw that the TLS trace didn''t have read access when using a non-privileged user. ashley wrote:> > Yes I''ve had that problem before but I fixed it before. > > I think its a permission problem of user accesing the certificate. > When you logged onto the system the auth process is done by root but > when you lock it with a screen saver its locked by the user. So to > unlock it the auth process is done by the user. > > But if your user has no access to the certificate he can''t > authenticate against the ldap. > > You can verify this by (Test this by) > > chmod -R 755 /etc/openldap/certs > > (Or where everever your certs are on the client system) > > Log in as a normal user, lock it with xscreen saver, try unlocking it. > > If it works you have a access permission problems with your certs. > > > > On Wed, 11 Apr 2007, Rich Megginson wrote: > >> Brian Zuromski wrote: >>> Rich, >>> No, I''m not using client based auth with this setup. I am >>> sharing out the server certificate to the network client. >> How does this relate to LDAP or the directory server? >>> Date: Tue, 10 Apr 2007 08:35:00 -0700 >>> From: Rich Megginson <rmeggins@redhat.com> >>> Subject: Re: [Fedora-directory-users] TLS issues during screen lock >>> To: "General discussion list for the Fedora Directory server project." >>> <fedora-directory-users@redhat.com> >>> Message-ID: <461BAEA4.5080708@redhat.com> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Brian Zuromski wrote: >>> >>>> > Hello, >>>> > I''m having an issue with TLS certificates. On the >>>> client > side, it seems that when I have TLS enabled it works >>>> fine. When I > screen lock the computer, I have to disable TLS to >>>> get back in. Has > anyone else experienced this before? >>>> >>> Are you using client cert based auth? >>> >>>> > >>>> > Thanks, >>>> > >>>> >>> >> >> >> >> !DSPAM:272,461d0aeb65221969219952! >> >-- -- Brian R. Zuromski National Information Assurance Research Laboratory Office of Defensive Computing Research (R23) Contractor :: Pangia Technologies 443-479-5946
Rich Megginson
2007-Apr-11 16:18 UTC
Re: [Fedora-directory-users] TLS issues during screen lock
Brian Zuromski wrote:> Rich, > No, I''m not using client based auth with this setup. I am > sharing out the server certificate to the network client.How does this relate to LDAP or the directory server?> Date: Tue, 10 Apr 2007 08:35:00 -0700 > From: Rich Megginson <rmeggins@redhat.com> > Subject: Re: [Fedora-directory-users] TLS issues during screen lock > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users@redhat.com> > Message-ID: <461BAEA4.5080708@redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Brian Zuromski wrote: > >> > Hello, >> > I''m having an issue with TLS certificates. On the client >> > side, it seems that when I have TLS enabled it works fine. When I >> > screen lock the computer, I have to disable TLS to get back in. >> Has > anyone else experienced this before? >> > Are you using client cert based auth? > >> > >> > Thanks, >> > >> >
Yes I''ve had that problem before but I fixed it before. I think its a permission problem of user accesing the certificate. When you logged onto the system the auth process is done by root but when you lock it with a screen saver its locked by the user. So to unlock it the auth process is done by the user. But if your user has no access to the certificate he can''t authenticate against the ldap. You can verify this by (Test this by) chmod -R 755 /etc/openldap/certs (Or where everever your certs are on the client system) Log in as a normal user, lock it with xscreen saver, try unlocking it. If it works you have a access permission problems with your certs. On Wed, 11 Apr 2007, Rich Megginson wrote:> Brian Zuromski wrote: >> Rich, >> No, I''m not using client based auth with this setup. I am sharing >> out the server certificate to the network client. > How does this relate to LDAP or the directory server? >> Date: Tue, 10 Apr 2007 08:35:00 -0700 >> From: Rich Megginson <rmeggins@redhat.com> >> Subject: Re: [Fedora-directory-users] TLS issues during screen lock >> To: "General discussion list for the Fedora Directory server project." >> <fedora-directory-users@redhat.com> >> Message-ID: <461BAEA4.5080708@redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Brian Zuromski wrote: >> >>> > Hello, >>> > I''m having an issue with TLS certificates. On the client > >>> side, it seems that when I have TLS enabled it works fine. When I > >>> screen lock the computer, I have to disable TLS to get back in. Has > >>> anyone else experienced this before? >>> >> Are you using client cert based auth? >> >>> > >>> > Thanks, >>> > >>> >> > > > > !DSPAM:272,461d0aeb65221969219952! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"