Fedora directory users - Nov 2006 - Problems with SSL, Pam/SSHD Authentication & FDS

Hi folks,

This isn''t strictly a FDS question (I think!) but I''m hoping
there are
some people on the list who have significant experience and can offer 
advice.

I''ve gotten FDS set up, I''ve generated the cert and imported
it into my
client machine''s /etc/openldap/cacerts directory.  When I run

ldapsearch -ZZ

..on the client machine it works fine; this wasn''t working correctly 
until I did a few tweaks in my /etc/openldap/ldap.conf directory 
(specifically, I had an IP address instead of hostname, so I was getting 
a ''host doesn''t match cert'' or something like that
error).

So, it seems like SSL is set up and working fine, BUT, I cannot do sshd 
authentication via SSL.  As soon as I uncomment ''ssl on'' I
start getting
this in my /var/log/messages:

Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can''t contact LDAP server
Nov  9 12:46:47 a last message repeated 3 times
Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 4 
seconds)...
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can''t contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
ldap://x.x.com: Can''t contact LDAP server
Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 8 
seconds)...

When I turn it back off, it binds to the regular (non-SSL) LDAP port on 
the FDS server and authentication happens just fine.

Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt
Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for blap 
from x.x.x.x port 48049 ssh2
Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap by 
(uid=0)
Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
ldap://x.x.com after 1 attempt

(if you hadn''t noticed, I changed all the IPs and hostnames in the
above
log examples...).

What the heck could this be?  I''m not sure what the proper options in 
the /etc/ldap.conf are that perhaps I''m screwing up or forgetting, but 
so far I''ve tried (in addition to ''ssl on'') setting
sslpath, "ssl
start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
screwed up in my /etc/openldap/ldap.conf?  I''m using the howto here: 
http://directory.fedora.redhat.com/wiki/Howto:SSL

Any help would be greatly appreciated.  Thanks!

Dave D.

Dave Della Costa wrote:
> Hi folks,
>
> This isn''t strictly a FDS question (I think!) but I''m
hoping there are
> some people on the list who have significant experience and can offer 
> advice.
>
> I''ve gotten FDS set up, I''ve generated the cert and
imported it into
> my client machine''s /etc/openldap/cacerts directory.  When I run
>
> ldapsearch -ZZ
>
> ..on the client machine it works fine; this wasn''t working
correctly
> until I did a few tweaks in my /etc/openldap/ldap.conf directory 
> (specifically, I had an IP address instead of hostname, so I was 
> getting a ''host doesn''t match cert'' or something
like that error).
>
> So, it seems like SSL is set up and working fine, BUT, I cannot do 
> sshd authentication via SSL.  As soon as I uncomment ''ssl
on'' I start
> getting this in my /var/log/messages:
>
> Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can''t contact LDAP server
> Nov  9 12:46:47 a last message repeated 3 times
> Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
> 4 seconds)...
> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can''t contact LDAP server
> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
> ldap://x.x.com: Can''t contact LDAP server
> Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
> 8 seconds)...
>
> When I turn it back off, it binds to the regular (non-SSL) LDAP port 
> on the FDS server and authentication happens just fine.
>
> Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
> ldap://x.x.com after 1 attempt
> Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
> Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for 
> blap from x.x.x.x port 48049 ssh2
> Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap 
> by (uid=0)
> Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
> ldap://x.x.com after 1 attempt
>
> (if you hadn''t noticed, I changed all the IPs and hostnames in the
> above log examples...).
>
> What the heck could this be?  I''m not sure what the proper options
in
> the /etc/ldap.conf are that perhaps I''m screwing up or forgetting,
but
> so far I''ve tried (in addition to ''ssl on'')
setting sslpath, "ssl
> start_tls," tls_cacertfile, and tls_cacertdir.  Or is this something 
> screwed up in my /etc/openldap/ldap.conf?  I''m using the howto
here:
> http://directory.fedora.redhat.com/wiki/Howto:SSL
Did you edit /etc/ssh/sshd_config and set
UsePAM yes
?
>
> Any help would be greatly appreciated.  Thanks!
>
> Dave D.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

> Did you edit /etc/ssh/sshd_config and set
> UsePAM yes
> ?
Yes, perhaps I wasn''t clear when I said
>> When I turn it back off, it binds to the regular (non-SSL) LDAP port
>> on the FDS server and authentication happens just fine.
--I meant by this that logging in via SSH Authentication by LDAP
credentials is fine if I don''t have SSL-enabled LDAP on.

Thanks,
Dave


Richard Megginson wrote:
> Dave Della Costa wrote:
> 
>> Hi folks,
>>
>> This isn''t strictly a FDS question (I think!) but I''m
hoping there are
>> some people on the list who have significant experience and can offer 
>> advice.
>>
>> I''ve gotten FDS set up, I''ve generated the cert and
imported it into
>> my client machine''s /etc/openldap/cacerts directory.  When I
run
>>
>> ldapsearch -ZZ
>>
>> ..on the client machine it works fine; this wasn''t working
correctly
>> until I did a few tweaks in my /etc/openldap/ldap.conf directory 
>> (specifically, I had an IP address instead of hostname, so I was 
>> getting a ''host doesn''t match cert'' or
something like that error).
>>
>> So, it seems like SSL is set up and working fine, BUT, I cannot do 
>> sshd authentication via SSL.  As soon as I uncomment ''ssl
on'' I start
>> getting this in my /var/log/messages:
>>
>> Nov  9 12:46:47 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can''t contact LDAP server
>> Nov  9 12:46:47 a last message repeated 3 times
>> Nov  9 12:46:47 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
>> 4 seconds)...
>> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can''t contact LDAP server
>> Nov  9 12:46:51 a sh: nss_ldap: failed to bind to LDAP server 
>> ldap://x.x.com: Can''t contact LDAP server
>> Nov  9 12:46:51 a sh: nss_ldap: reconnecting to LDAP server (sleeping 
>> 8 seconds)...
>>
>> When I turn it back off, it binds to the regular (non-SSL) LDAP port 
>> on the FDS server and authentication happens just fine.
>>
>> Nov  9 12:47:01 a sshd[8390]: nss_ldap: reconnected to LDAP server 
>> ldap://x.x.com after 1 attempt
>> Nov  9 12:47:03 a sshd(pam_unix)[8395]: authentication failure; 
>> logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x  user=blap
>> Nov  9 12:47:03 a sshd[8390]: Accepted keyboard-interactive/pam for 
>> blap from x.x.x.x port 48049 ssh2
>> Nov  9 12:47:03 a sshd(pam_unix)[8451]: session opened for user blap 
>> by (uid=0)
>> Nov  9 12:47:03 a sshd[8390]: nss_ldap: reconnected to LDAP server 
>> ldap://x.x.com after 1 attempt
>>
>> (if you hadn''t noticed, I changed all the IPs and hostnames in
the
>> above log examples...).
>>
>> What the heck could this be?  I''m not sure what the proper
options in
>> the /etc/ldap.conf are that perhaps I''m screwing up or
forgetting, but
>> so far I''ve tried (in addition to ''ssl on'')
setting sslpath, "ssl
>> start_tls," tls_cacertfile, and tls_cacertdir.  Or is this
something
>> screwed up in my /etc/openldap/ldap.conf?  I''m using the howto
here:
>> http://directory.fedora.redhat.com/wiki/Howto:SSL
> 
> Did you edit /etc/ssh/sshd_config and set
> UsePAM yes
> ?
> 
>>
>> Any help would be greatly appreciated.  Thanks!
>>
>> Dave D.
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users