Hi
I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: Invalid user test3 from 192.168.1.1 sshd[5488]: input_userauth_request: invalid user test3 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_unix(sshd:auth): check pass; user unknown sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable sshd[5487]: pam_succeed_if(sshd:auth): error retrieving information about user test3 sshd[5487]: Failed password for invalid user test3 from 192.168.1.1 port 38489 ssh2
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :- base dc=true,dc=co,dc=uk timelimit 30 bind_timelimit 30 bind_policy soft nss_reconnect_tries 2 idle_timelimit 3600 pam_filter objectclass=posixAccount nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polk ituser ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts
# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" """" """""" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=true,dc=co,dc=uk" "" """ """ "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled
Please advice on how to resolve, so am able to ssh onto FDS server running TLS. I've already run setupssl2.sh script from
Thanks in advance..
Regards Dharmin _________________________________________________________________ Keep your kids safer online with Windows Live Family Safety. http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_fam...
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client's configuration (in this case "127.0.0.1"), and it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its subject, so you'd need to specify the server URI using a hostname rather than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the certificate that the server's using so that we can have a look.
HTH,
Nalin
Hello Nalin
Many Thanks...
replaced with FQDN instead of 127.0.0.1 and works fine.
Thanks for a quick reply.
Regards Dharmin
----------------------------------------
Date: Thu, 24 Jul 2008 11:26:46 -0400 From: nalin@redhat.com To: dharmin98@hotmail.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] TLS Issue
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client's configuration (in this case "127.0.0.1"), and it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its subject, so you'd need to specify the server URI using a hostname rather than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the certificate that the server's using so that we can have a look.
HTH,
Nalin
_________________________________________________________________ Time for vacation? WIN what you need- enter now! http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm
Hello Nalin and all
I just added "ssl on" to below /etc/ldap.conf file and get below error msg in var/log/secure file :-
sshd[6212]: pam_unix(sshd:session): session closed for user test1 sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0) sshd[6248]: pam_unix(sshd:session): session closed for user test1 sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server shd[6284]: pam_ldap: reconnecting to LDAP server... sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
With "ssl on" in ldap.conf, am unable to login via ssh
any helpers please...
regards Dharmin
----------------------------------------
Date: Thu, 24 Jul 2008 11:26:46 -0400 From: nalin@redhat.com To: dharmin98@hotmail.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] TLS Issue
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client's configuration (in this case "127.0.0.1"), and it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its subject, so you'd need to specify the server URI using a hostname rather than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the certificate that the server's using so that we can have a look.
HTH,
Nalin
_________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL...
Hi,
Can you check What happens if you specify
ssl start_tls
instead of "ssl on"
Regards Niranjan
On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia dharmin98@hotmail.com wrote:
Hello Nalin and all
I just added "ssl on" to below /etc/ldap.conf file and get below error msg in var/log/secure file :-
sshd[6212]: pam_unix(sshd:session): session closed for user test1 sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2 sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0) sshd[6248]: pam_unix(sshd:session): session closed for user test1 sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1 sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server shd[6284]: pam_ldap: reconnecting to LDAP server... sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
With "ssl on" in ldap.conf, am unable to login via ssh
any helpers please...
regards Dharmin
Date: Thu, 24 Jul 2008 11:26:46 -0400 From: nalin@redhat.com To: dharmin98@hotmail.com CC: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] TLS Issue
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
I've enabled TLS and am getting below error msg's in /var/log/secure
file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
sshd[5487]: nss_ldap: could not search LDAP server - Server is
unavailable
[snip]
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.asc pam_password md5 uri ldap://127.0.0.1/ tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare the names in the certificate that the server uses against the value that was given in the client's configuration (in this case "127.0.0.1"), and it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its subject, so you'd need to specify the server URI using a hostname rather than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the certificate that the server's using so that we can have a look.
HTH,
Nalin
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL...
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org