OMG please remove necessary information from the post, because now it's
hard to find what you wrote! And this happens in all of your posts ;) so
please, for the clarity and for the future use (mailing list archive) ;)
Richard Megginson, dnia 2006-12-05 16:19 napisal:
> t b wrote:
>>> From: fedora-directory-users-request(a)redhat.com
>>> Reply-To: fedora-directory-users(a)redhat.com
>>> To: fedora-directory-users(a)redhat.com
>>> Subject: Fedora-directory-users Digest, Vol 19, Issue 3
>>> Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
>>>
>>> Send Fedora-directory-users mailing list submissions to
>>> fedora-directory-users(a)redhat.com
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> or, via email, send a message with subject or body 'help' to
>>> fedora-directory-users-request(a)redhat.com
>>>
>>> You can reach the person managing the list at
>>> fedora-directory-users-owner(a)redhat.com
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Fedora-directory-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1
>>> (Richard Megginson)
>>> 2. Re: AD + FDS sync stops working? (To Ngan)
>>> 3. Re: Memory usage (koniczynek)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Fri, 01 Dec 2006 12:55:24 -0700
>>> From: Richard Megginson <rmeggins(a)redhat.com>
>>> Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users
>>> Digest, Vol 19, Issue 1
>>> To: "General discussion list for the Fedora Directory server
project."
>>> <fedora-directory-users(a)redhat.com>
>>> Message-ID: <457088AC.1030004(a)redhat.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> t b wrote:
>>> > My logs seem to indicate that the connection is being encrypted; I can
>>> > ssh to a client server and get the password prompt, but when I enter
>>> > the password it just returns me to the password prompt again
>>> >
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
>>> > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT
>>> > oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120
>>> > nentries=0 etime=0
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
>>> All of this means the client was able to successfully perform the
>>> startTLS extended operation and start using SSL.
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
>>> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
>>> The UNBIND means the client had a problem and closed the connection.
>>> Does the client print any errors? Are there any messages in the server
>>> error log?
>>
>> On the client server it show,
>>
>> sshd[24149]: Failed password for invalid user xxxxx from
>> xxx.xxx.xxx.xxx port xxx ssh2
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> >
>>> > If I disable TLS everything works fine, the client server can query
>>> > the FDS and auth the client properly
>>> >
>>> > I am not sure if the problem has to do with the pam_ldap not properly
>>> > formatted or the cert file not in proper format
>>> >
>>> > Does anyone have an example of what the pam_ldap config should look
>>> > like? or suggestions on checking whether the cert file is in proper
>>> > format
>>> I'm not sure. PAM needs the ca cert of the CA that issued the directory
>>> server server cert. See
>>>
http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
>>> >
>>
>> That was the info I used to do the SSL setup, but I only see a part of
>> the log output they indicated,
>>
>> Their logs,
>>
>> [18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES
>> [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128
version=3
>> [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn=""
>> [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com"
>> scope=2 filter="(uid=testuser)" attrs=ALL
>>
>> My Logs,
>>
>> [04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT
>> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
>> [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120
>> nentries=0 etime=0
>> [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES
>> [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND
>> [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
>>
>> For some reason my setup dies just before querying the FDS to
>> determine user details
>>
>> Do you know of any tests that I can run just on the client server to
>> determine proper confuguration?
> Firstly, try /usr/bin/ldapsearch to see if you can use startTLS and bind
> as your user.
>>
>>
>>
>>
>>
>>> > Also what's the UNBIND shown in the logs?
>>> >
>>> > Thanks
>>> >
>>> >> From: fedora-directory-users-request(a)redhat.com
>>> >> Reply-To: fedora-directory-users(a)redhat.com
>>> >> To: fedora-directory-users(a)redhat.com
>>> >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1
>>> >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
>>> >>
>>> >> Send Fedora-directory-users mailing list submissions to
>>> >> fedora-directory-users(a)redhat.com
>>> >>
>>> >> To subscribe or unsubscribe via the World Wide Web, visit
>>> >>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> >> or, via email, send a message with subject or body 'help'
to
>>> >> fedora-directory-users-request(a)redhat.com
>>> >>
>>> >> You can reach the person managing the list at
>>> >> fedora-directory-users-owner(a)redhat.com
>>> >>
>>> >> When replying, please edit your Subject line so it is more specific
>>> >> than "Re: Contents of Fedora-directory-users digest..."
>>> >>
>>> >>
>>> >> Today's Topics:
>>> >>
>>> >> 1. pam_ldap with SSL/TLS (t b)
>>> >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
>>> >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
>>> >> 4. Problem with SSL console in X in specific circumstances
>>> >> (Philip Kime)
>>> >> 5. FW: [Fedora-directory-users] Extracting details from
>>> >> ActiveDirectoryto FDS (Paxton, Darren)
>>> >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
>>> >> 7. Re: FW: [Fedora-directory-users] Extracting details from
>>> >> ActiveDirectoryto FDS (Nicholas Byrne)
>>> >> 8. Re: Memory usage (koniczynek)
>>> >> 9. Re: Memory usage (David Boreham)
>>> >> 10. Re: Memory usage (koniczynek)
>>> >>
>>> >>
>>> >>
>>> ----------------------------------------------------------------------
>>> >>
>>> >> Message: 1
>>> >> Date: Thu, 30 Nov 2006 12:31:50 -0500
>>> >> From: "t b" <mxheadroom(a)hotmail.com>
>>> >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
>>> >> To: fedora-directory-users(a)redhat.com
>>> >> Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl>
>>> >> Content-Type: text/plain; format=flowed
>>> >>
>>> >> I am trying to setup pam_ldap to use TLS to communicate with the
FDS,
>>> >> but
>>> >> having lots of problems doing so; it works if I use the unencrypted
>>> >> way but
>>> >> not if I use ldaps ( port 636 )
>>> >>
>>> >> I used the instructions at,
>>> >>
http://directory.fedora.redhat.com/wiki/Howto:PAM
>>> >>
>>> >> Has anyone gotten PAM to work TLS
>>> >>
>>> >>
>>> >> Thanks
>>> >>
>>> >> _________________________________________________________________
>>> >> Buy, Load, Play. The new Sympatico / MSN Music Store works
seamlessly
>>> >> with
>>> >> Windows Media Player. Just Click PLAY.
>>> >>
>>>
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
>>>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------
>>> >>
>>> >> Message: 2
>>> >> Date: Thu, 30 Nov 2006 13:00:56 -0500
>>> >> From: "Morris, Patrick" <patrick.morris(a)hp.com>
>>> >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
>>> >> To: "General discussion list for the Fedora Directory server
>>> project."
>>> >> <fedora-directory-users(a)redhat.com>
>>> >> Message-ID:
>>> >>
>>>
<CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net>
>>> >>
>>> >>
>>> >> Content-Type: text/plain; charset="US-ASCII"
>>> >>
>>> >> > I am trying to setup pam_ldap to use TLS to communicate with
>>> >> > the FDS, but having lots of problems doing so; it works if I
>>> >> > use the unencrypted way but not if I use ldaps ( port 636 )
>>> >>
>>> >> Someone should jump in here and correct me if I'm wrong, but I
>>> believe
>>> >> it's normal for TLS connections to happen on the standard LDAP
port.
>>> >> You should be able to tell from your logs whether the connection is
>>> >> encrypted or not.
>>> >>
>>> >>
>>> >>
>>> >> ------------------------------
>>> >>
>>> >> Message: 3
>>> >> Date: Thu, 30 Nov 2006 11:08:08 -0700
>>> >> From: Richard Megginson <rmeggins(a)redhat.com>
>>> >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
>>> >> To: "General discussion list for the Fedora Directory server
>>> project."
>>> >> <fedora-directory-users(a)redhat.com>
>>> >> Message-ID: <456F1E08.40601(a)redhat.com>
>>> >> Content-Type: text/plain; charset="iso-8859-1"
>>> >>
>>> >> Morris, Patrick wrote:
>>> >> >> I am trying to setup pam_ldap to use TLS to communicate
with
>>> >> >> the FDS, but having lots of problems doing so; it works if
I
>>> >> >> use the unencrypted way but not if I use ldaps ( port 636
)
>>> >> >>
>>> >> >
>>> >> > Someone should jump in here and correct me if I'm wrong,
but I
>>> believe
>>> >> > it's normal for TLS connections to happen on the standard
LDAP
>>> port.
>>> >> > You should be able to tell from your logs whether the
connection is
>>> >> > encrypted or not.
>>> >> >
>>> >> Yes. The LDAP "preferred" way is to use the startTLS
extended
>>> operation
>>> >> which starts a TLS session on the non-secure port. This will be
>>> logged
>>> >> in the access log.
>>> >> > --
>>> >> > Fedora-directory-users mailing list
>>> >> > Fedora-directory-users(a)redhat.com
>>> >> >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> >> >
>>> >>