Hi I''ve enabled TLS and am getting below error msg''s in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: Invalid user test3 from 192.168.1.1 sshd[5488]: input_userauth_request: invalid user test3 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_unix(sshd:auth): check pass; user unknown sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_succeed_if(sshd:auth): error retrieving information about user test3 sshd[5487]: Failed password for invalid user test3 from 192.168.1.1 port 38489 ssh2 /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- base dc=true,dc=co,dc=uk timelimit 30 bind_timelimit 30 bind_policy soft nss_reconnect_tries 2 idle_timelimit 3600 pam_filter objectclass=posixAccount nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polk ituser ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts # authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" """" """""" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" "" """ """ "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled Please advice on how to resolve, so am able to ssh onto FDS server running TLS. I''ve already run setupssl2.sh script from Thanks in advance.. Regards Dharmin _________________________________________________________________ Keep your kids safer online with Windows Live Family Safety. http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_family_safety_072008
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:> I''ve enabled TLS and am getting below error msg''s in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.[snip]> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable[snip]> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-[snip]> ssl start_tls > tls_checkpeer yes > tls_cacertfile /etc/openldap/cacerts/cacert.asc > pam_password md5 > uri ldap://127.0.0.1/ > tls_cacertdir /etc/openldap/cacertsIf you''re using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client''s configuration (in this case "127.0.0.1"), and it looks like they''re not matching up here. Typically the certificate uses an actual hostname as a "CN" value in its subject, so you''d need to specify the server URI using a hostname rather than an IP address to make sure that they match. If that''s not what''s going on here, please post a copy of the certificate that the server''s using so that we can have a look. HTH, Nalin
Hello Nalin Many Thanks... replaced with FQDN instead of 127.0.0.1 and works fine. Thanks for a quick reply. Regards Dharmin ----------------------------------------> Date: Thu, 24 Jul 2008 11:26:46 -0400 > From: nalin@redhat.com > To: dharmin98@hotmail.com > CC: fedora-directory-users@redhat.com > Subject: Re: [Fedora-directory-users] TLS Issue > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: >> I''ve enabled TLS and am getting below error msg''s in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. > [snip] >> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable > [snip] >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > [snip] >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /etc/openldap/cacerts/cacert.asc >> pam_password md5 >> uri ldap://127.0.0.1/ >> tls_cacertdir /etc/openldap/cacerts > > If you''re using SSL or TLS, the LDAP client library is going to compare > the names in the certificate that the server uses against the value that > was given in the client''s configuration (in this case "127.0.0.1"), and > it looks like they''re not matching up here. > > Typically the certificate uses an actual hostname as a "CN" value in its > subject, so you''d need to specify the server URI using a hostname rather > than an IP address to make sure that they match. > > If that''s not what''s going on here, please post a copy of the > certificate that the server''s using so that we can have a look. > > HTH, > > Nalin_________________________________________________________________ Time for vacation? WIN what you need- enter now! http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm
Hello Nalin and all I just added "ssl on" to below /etc/ldap.conf file and get below error msg in var/log/secure file :- sshd[6212]: pam_unix(sshd:session): session closed for user test1 sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0) sshd[6248]: pam_unix(sshd:session): session closed for user test1 sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6284]: pam_ldap: ldap_simple_bind Can''t contact LDAP server shd[6284]: pam_ldap: reconnecting to LDAP server... sshd[6284]: pam_ldap: ldap_simple_bind Can''t contact LDAP server sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 With "ssl on" in ldap.conf, am unable to login via ssh any helpers please... regards Dharmin ----------------------------------------> Date: Thu, 24 Jul 2008 11:26:46 -0400 > From: nalin@redhat.com > To: dharmin98@hotmail.com > CC: fedora-directory-users@redhat.com > Subject: Re: [Fedora-directory-users] TLS Issue > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: >> I''ve enabled TLS and am getting below error msg''s in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh. > [snip] >> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable > [snip] >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > [snip] >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /etc/openldap/cacerts/cacert.asc >> pam_password md5 >> uri ldap://127.0.0.1/ >> tls_cacertdir /etc/openldap/cacerts > > If you''re using SSL or TLS, the LDAP client library is going to compare > the names in the certificate that the server uses against the value that > was given in the client''s configuration (in this case "127.0.0.1"), and > it looks like they''re not matching up here. > > Typically the certificate uses an actual hostname as a "CN" value in its > subject, so you''d need to specify the server URI using a hostname rather > than an IP address to make sure that they match. > > If that''s not what''s going on here, please post a copy of the > certificate that the server''s using so that we can have a look. > > HTH, > > Nalin_________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008
Hi, Can you check What happens if you specify ssl start_tls instead of "ssl on" Regards Niranjan On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia <dharmin98@hotmail.com> wrote:> > Hello Nalin and all > > I just added "ssl on" to below /etc/ldap.conf file and get below error > msg in var/log/secure file :- > > > sshd[6212]: pam_unix(sshd:session): session closed for user test1 > sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 > sshd[6248]: pam_unix(sshd:session): session opened for user test1 by > (uid=0) > sshd[6248]: pam_unix(sshd:session): session closed for user test1 > sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 > sshd[6284]: pam_ldap: ldap_simple_bind Can''t contact LDAP server > shd[6284]: pam_ldap: reconnecting to LDAP server... > sshd[6284]: pam_ldap: ldap_simple_bind Can''t contact LDAP server > sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2 > > With "ssl on" in ldap.conf, am unable to login via ssh > > any helpers please... > > regards > Dharmin > > > > ---------------------------------------- > > Date: Thu, 24 Jul 2008 11:26:46 -0400 > > From: nalin@redhat.com > > To: dharmin98@hotmail.com > > CC: fedora-directory-users@redhat.com > > Subject: Re: [Fedora-directory-users] TLS Issue > > > > On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote: > >> I''ve enabled TLS and am getting below error msg''s in /var/log/secure > file on Fedora 9, which is my newly configured FDS , if disable TLS , am > able to ssh onto the FDS server and with TLS enabled unable to login via > ssh. > > [snip] > >> sshd[5487]: nss_ldap: could not search LDAP server - Server is > unavailable > > [snip] > >> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- > > [snip] > >> ssl start_tls > >> tls_checkpeer yes > >> tls_cacertfile /etc/openldap/cacerts/cacert.asc > >> pam_password md5 > >> uri ldap://127.0.0.1/ > >> tls_cacertdir /etc/openldap/cacerts > > > > If you''re using SSL or TLS, the LDAP client library is going to compare > > the names in the certificate that the server uses against the value that > > was given in the client''s configuration (in this case "127.0.0.1"), and > > it looks like they''re not matching up here. > > > > Typically the certificate uses an actual hostname as a "CN" value in its > > subject, so you''d need to specify the server URI using a hostname rather > > than an IP address to make sure that they match. > > > > If that''s not what''s going on here, please post a copy of the > > certificate that the server''s using so that we can have a look. > > > > HTH, > > > > Nalin > > _________________________________________________________________ > Use video conversation to talk face-to-face with Windows Live Messenger. > > http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >