From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 3 Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 (Richard Megginson)
- Re: AD + FDS sync stops working? (To Ngan)
- Re: Memory usage (koniczynek)
Message: 1 Date: Fri, 01 Dec 2006 12:55:24 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 457088AC.1030004@redhat.com Content-Type: text/plain; charset="iso-8859-1"
t b wrote:
My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection. Does the client print any errors? Are there any messages in the server error log?
On the client server it show,
sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx port xxx ssh2
If I disable TLS everything works fine, the client server can query the FDS and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format
I'm not sure. PAM needs the ca cert of the CA that issued the directory server server cert. See http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
That was the info I used to do the SSL setup, but I only see a part of the log output they indicated,
Their logs,
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL
My Logs,
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
For some reason my setup dies just before querying the FDS to determine user details
Do you know of any tests that I can run just on the client server to determine proper confuguration?
Also what's the UNBIND shown in the logs?
Thanks
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 1 Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- pam_ldap with SSL/TLS (t b)
- RE: pam_ldap with SSL/TLS (Morris, Patrick)
- Re: pam_ldap with SSL/TLS (Richard Megginson)
- Problem with SSL console in X in specific circumstances (Philip Kime)
- FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Paxton, Darren)
- alias in fedora directory server (patrick ndjientcheu ngandjui)
- Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Nicholas Byrne)
- Re: Memory usage (koniczynek)
- Re: Memory usage (David Boreham)
- Re: Memory usage (koniczynek)
Message: 1 Date: Thu, 30 Nov 2006 12:31:50 -0500 From: "t b" mxheadroom@hotmail.com Subject: [Fedora-directory-users] pam_ldap with SSL/TLS To: fedora-directory-users@redhat.com Message-ID: BAY116-F322745E96D702ED748B1D0CDDB0@phx.gbl Content-Type: text/plain; format=flowed
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
I used the instructions at, http://directory.fedora.redhat.com/wiki/Howto:PAM
Has anyone gotten PAM to work TLS
Thanks
Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with Windows Media Player. Just Click PLAY.
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
Message: 2 Date: Thu, 30 Nov 2006 13:00:56 -0500 From: "Morris, Patrick" patrick.morris@hp.com Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID:
CD18C81835E18A40A64C4A0D16A237BE05FE850D@ATAEXC01.americas.cpqcorp.net
Content-Type: text/plain; charset="US-ASCII"
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I believe it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Message: 3 Date: Thu, 30 Nov 2006 11:08:08 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 456F1E08.40601@redhat.com Content-Type: text/plain; charset="iso-8859-1"
Morris, Patrick wrote:
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Yes. The LDAP "preferred" way is to use the startTLS extended
operation
which starts a TLS session on the non-secure port. This will be logged in the access log.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users