10:11 a.m.
Hi
I've enabled TLS and am getting below error msg's in /var/log/secure file on
Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS
server and with TLS enabled unable to login via ssh.
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: Invalid user test3 from 192.168.1.1
sshd[5488]: input_userauth_request: invalid user test3
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: pam_unix(sshd:auth): check pass; user unknown
sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.1.1
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: pam_succeed_if(sshd:auth): error retrieving information about user test3
sshd[5487]: Failed password for invalid user test3 from 192.168.1.1 port 38489 ssh2
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
base dc=true,dc=co,dc=uk
timelimit 30
bind_timelimit 30
bind_policy soft
nss_reconnect_tries 2
idle_timelimit 3600
pam_filter objectclass=posixAccount
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polk
ituser
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.asc
pam_password md5
uri ldap://127.0.0.1/
tls_cacertdir /etc/openldap/cacerts
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=true,dc=co,dc=uk"
"""" """"""
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=true,dc=co,dc=uk"
"" """ """ ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled
Please advice on how to resolve, so am able to ssh onto FDS server running TLS. I've
already run setupssl2.sh script from
Thanks in advance..
Regards
Dharmin
_________________________________________________________________
Keep your kids safer online with Windows Live Family Safety.
http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_...
10:26 a.m.
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
I've enabled TLS and am getting below error msg's in
/var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am
able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
sshd[5487]: nss_ldap: could not search LDAP server - Server is
unavailable
[snip]
/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.asc
pam_password md5
uri ldap://127.0.0.1/
tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare
the names in the certificate that the server uses against the value that
was given in the client's configuration (in this case "127.0.0.1"), and
it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its
subject, so you'd need to specify the server URI using a hostname rather
than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the
certificate that the server's using so that we can have a look.
HTH,
Nalin
10:33 a.m.
Hello Nalin
Many Thanks...
replaced with FQDN instead of 127.0.0.1 and works fine.
Thanks for a quick reply.
Regards
Dharmin
----------------------------------------
Date: Thu, 24 Jul 2008 11:26:46 -0400
From: nalin(a)redhat.com
To: dharmin98(a)hotmail.com
CC: fedora-directory-users(a)redhat.com
Subject: Re: [Fedora-directory-users] TLS Issue
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
> I've enabled TLS and am getting below error msg's in /var/log/secure file on
Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS
server and with TLS enabled unable to login via ssh.
[snip]
> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cacerts/cacert.asc
> pam_password md5
> uri ldap://127.0.0.1/
> tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare
the names in the certificate that the server uses against the value that
was given in the client's configuration (in this case "127.0.0.1"), and
it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its
subject, so you'd need to specify the server URI using a hostname rather
than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the
certificate that the server's using so that we can have a look.
HTH,
Nalin
_________________________________________________________________
Time for vacation? WIN what you need- enter now!
http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm
10:59 a.m.
Hello Nalin and all
I just added "ssl on" to below /etc/ldap.conf file and get below error msg in
var/log/secure file :-
sshd[6212]: pam_unix(sshd:session): session closed for user test1
sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.1.1 user=test1
sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2
sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
sshd[6248]: pam_unix(sshd:session): session closed for user test1
sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=192.168.1.1 user=test1
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
shd[6284]: pam_ldap: reconnecting to LDAP server...
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
With "ssl on" in ldap.conf, am unable to login via ssh
any helpers please...
regards
Dharmin
----------------------------------------
Date: Thu, 24 Jul 2008 11:26:46 -0400
From: nalin(a)redhat.com
To: dharmin98(a)hotmail.com
CC: fedora-directory-users(a)redhat.com
Subject: Re: [Fedora-directory-users] TLS Issue
On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
> I've enabled TLS and am getting below error msg's in /var/log/secure file on
Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS
server and with TLS enabled unable to login via ssh.
[snip]
> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cacerts/cacert.asc
> pam_password md5
> uri ldap://127.0.0.1/
> tls_cacertdir /etc/openldap/cacerts
If you're using SSL or TLS, the LDAP client library is going to compare
the names in the certificate that the server uses against the value that
was given in the client's configuration (in this case "127.0.0.1"), and
it looks like they're not matching up here.
Typically the certificate uses an actual hostname as a "CN" value in its
subject, so you'd need to specify the server URI using a hostname rather
than an IP address to make sure that they match.
If that's not what's going on here, please post a copy of the
certificate that the server's using so that we can have a look.
HTH,
Nalin
_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM...
11:15 a.m.
Hi,
Can you check What happens if you specify
ssl start_tls
instead of "ssl on"
Regards
Niranjan
On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia <dharmin98(a)hotmail.com>
wrote:
Hello Nalin and all
I just added "ssl on" to below /etc/ldap.conf file and get below error
msg in var/log/secure file :-
sshd[6212]: pam_unix(sshd:session): session closed for user test1
sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2
sshd[6248]: pam_unix(sshd:session): session opened for user test1 by
(uid=0)
sshd[6248]: pam_unix(sshd:session): session closed for user test1
sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
shd[6284]: pam_ldap: reconnecting to LDAP server...
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
With "ssl on" in ldap.conf, am unable to login via ssh
any helpers please...
regards
Dharmin
----------------------------------------
> Date: Thu, 24 Jul 2008 11:26:46 -0400
> From: nalin(a)redhat.com
> To: dharmin98(a)hotmail.com
> CC: fedora-directory-users(a)redhat.com
> Subject: Re: [Fedora-directory-users] TLS Issue
>
> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
>> I've enabled TLS and am getting below error msg's in /var/log/secure
file on Fedora 9, which is my newly configured FDS , if disable TLS , am
able to ssh onto the FDS server and with TLS enabled unable to login via
ssh.
> [snip]
>> sshd[5487]: nss_ldap: could not search LDAP server - Server is
unavailable
> [snip]
>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
> [snip]
>> ssl start_tls
>> tls_checkpeer yes
>> tls_cacertfile /etc/openldap/cacerts/cacert.asc
>> pam_password md5
>> uri ldap://127.0.0.1/
>> tls_cacertdir /etc/openldap/cacerts
>
> If you're using SSL or TLS, the LDAP client library is going to compare
> the names in the certificate that the server uses against the value that
> was given in the client's configuration (in this case "127.0.0.1"),
and
> it looks like they're not matching up here.
>
> Typically the certificate uses an actual hostname as a "CN" value in its
> subject, so you'd need to specify the server URI using a hostname rather
> than an IP address to make sure that they match.
>
> If that's not what's going on here, please post a copy of the
> certificate that the server's using so that we can have a look.
>
> HTH,
>
> Nalin
_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM...
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
5748
days inactive
5748
days old
389-users@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Dharmin Mandalia -
mallapadi niranjan -
Nalin Dahyabhai