FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-24-2008, 03:11 PM
Dharmin Mandalia
 
Default TLS Issue

Hi

I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.

sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: Invalid user test3 from 192.168.1.1
sshd[5488]: input_userauth_request: invalid user test3
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: pam_unix(sshd:auth): check pass; user unknown
sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1
sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
sshd[5487]: pam_succeed_if(sshd:auth): error retrieving information about user test3
sshd[5487]: Failed password for invalid user test3 from 192.168.1.1 port 38489 ssh2


/etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
base dc=true,dc=co,dc=uk
timelimit 30
bind_timelimit 30
bind_policy soft
nss_reconnect_tries 2
idle_timelimit 3600
pam_filter objectclass=posixAccount
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm,polk
ituser
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.asc
pam_password md5
uri ldap://127.0.0.1/
tls_cacertdir /etc/openldap/cacerts


# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=true,dc=co,dc=uk"
"""" """"""
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=true,dc=co,dc=uk"
"" """ """ ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled


Please advice on how to resolve, so am able to ssh onto FDS server running TLS. I've already run setupssl2.sh script from

Thanks in advance..

Regards
Dharmin
__________________________________________________ _______________
Keep your kids safer online with Windows Live Family Safety.
http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_family_safety_0720 08

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-24-2008, 03:26 PM
Nalin Dahyabhai
 
Default TLS Issue

On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
[snip]
> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
[snip]
> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
[snip]
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cacerts/cacert.asc
> pam_password md5
> uri ldap://127.0.0.1/
> tls_cacertdir /etc/openldap/cacerts

If you're using SSL or TLS, the LDAP client library is going to compare
the names in the certificate that the server uses against the value that
was given in the client's configuration (in this case "127.0.0.1"), and
it looks like they're not matching up here.

Typically the certificate uses an actual hostname as a "CN" value in its
subject, so you'd need to specify the server URI using a hostname rather
than an IP address to make sure that they match.

If that's not what's going on here, please post a copy of the
certificate that the server's using so that we can have a look.

HTH,

Nalin

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-24-2008, 03:33 PM
Dharmin Mandalia
 
Default TLS Issue

Hello Nalin

Many Thanks...

replaced with FQDN instead of 127.0.0.1 and works fine.

Thanks for a quick reply.

Regards
Dharmin



----------------------------------------
> Date: Thu, 24 Jul 2008 11:26:46 -0400
> From: nalin@redhat.com
> To: dharmin98@hotmail.com
> CC: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] TLS Issue
>
> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
>> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
> [snip]
>> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
> [snip]
>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
> [snip]
>> ssl start_tls
>> tls_checkpeer yes
>> tls_cacertfile /etc/openldap/cacerts/cacert.asc
>> pam_password md5
>> uri ldap://127.0.0.1/
>> tls_cacertdir /etc/openldap/cacerts
>
> If you're using SSL or TLS, the LDAP client library is going to compare
> the names in the certificate that the server uses against the value that
> was given in the client's configuration (in this case "127.0.0.1"), and
> it looks like they're not matching up here.
>
> Typically the certificate uses an actual hostname as a "CN" value in its
> subject, so you'd need to specify the server URI using a hostname rather
> than an IP address to make sure that they match.
>
> If that's not what's going on here, please post a copy of the
> certificate that the server's using so that we can have a look.
>
> HTH,
>
> Nalin

__________________________________________________ _______________
Time for vacation? WIN what you need- enter now!
http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-24-2008, 03:59 PM
Dharmin Mandalia
 
Default TLS Issue

Hello Nalin and all

I just added "ssl on" to below /etc/ldap.conf file and get below error msg in var/log/secure file :-


sshd[6212]: pam_unix(sshd:session): session closed for user test1
sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2
sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0)
sshd[6248]: pam_unix(sshd:session): session closed for user test1
sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
shd[6284]: pam_ldap: reconnecting to LDAP server...
sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2

With "ssl on" in ldap.conf, am unable to login via ssh

any helpers please...

regards
Dharmin



----------------------------------------
> Date: Thu, 24 Jul 2008 11:26:46 -0400
> From: nalin@redhat.com
> To: dharmin98@hotmail.com
> CC: fedora-directory-users@redhat.com
> Subject: Re: [Fedora-directory-users] TLS Issue
>
> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
>> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.
> [snip]
>> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable
> [snip]
>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
> [snip]
>> ssl start_tls
>> tls_checkpeer yes
>> tls_cacertfile /etc/openldap/cacerts/cacert.asc
>> pam_password md5
>> uri ldap://127.0.0.1/
>> tls_cacertdir /etc/openldap/cacerts
>
> If you're using SSL or TLS, the LDAP client library is going to compare
> the names in the certificate that the server uses against the value that
> was given in the client's configuration (in this case "127.0.0.1"), and
> it looks like they're not matching up here.
>
> Typically the certificate uses an actual hostname as a "CN" value in its
> subject, so you'd need to specify the server URI using a hostname rather
> than an IP address to make sure that they match.
>
> If that's not what's going on here, please post a copy of the
> certificate that the server's using so that we can have a look.
>
> HTH,
>
> Nalin

__________________________________________________ _______________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_me ssenger_video_072008

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-24-2008, 04:15 PM
"mallapadi niranjan"
 
Default TLS Issue

Hi,

Can you check What happens if you specify

ssl start_tls

instead of "ssl on"

Regards
Niranjan


On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia <dharmin98@hotmail.com> wrote:



Hello *Nalin and all



I just added "ssl *on" *to below /etc/ldap.conf file and get below error msg in var/log/secure file :-





sshd[6212]: pam_unix(sshd:session): session closed for user test1

sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 *user=test1

sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2

sshd[6248]: pam_unix(sshd:session): session opened for user test1 by (uid=0)

sshd[6248]: pam_unix(sshd:session): session closed for user test1

sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.1 *user=test1

sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server

shd[6284]: pam_ldap: reconnecting to LDAP server...

sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server

sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2



With "ssl on" in ldap.conf, am unable to login via ssh



any helpers please...



regards

Dharmin







----------------------------------------

> Date: Thu, 24 Jul 2008 11:26:46 -0400

> From: nalin@redhat.com

> To: dharmin98@hotmail.com

> CC: fedora-directory-users@redhat.com

> Subject: Re: [Fedora-directory-users] TLS Issue

>

> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:

>> I've enabled TLS and am getting below error msg's in /var/log/secure file on Fedora 9, which is my newly configured FDS , if disable TLS , am able to ssh onto the FDS server and with TLS enabled unable to login via ssh.


> [snip]

>> sshd[5487]: nss_ldap: could not search LDAP server - Server is unavailable

> [snip]

>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-

> [snip]

>> ssl start_tls

>> tls_checkpeer yes

>> tls_cacertfile */etc/openldap/cacerts/cacert.asc

>> pam_password md5

>> uri ldap://127.0.0.1/

>> tls_cacertdir /etc/openldap/cacerts

>

> If you're using SSL or TLS, the LDAP client library is going to compare

> the names in the certificate that the server uses against the value that

> was given in the client's configuration (in this case "127.0.0.1"), and

> it looks like they're not matching up here.

>

> Typically the certificate uses an actual hostname as a "CN" value in its

> subject, so you'd need to specify the server URI using a hostname rather

> than an IP address to make sure that they match.

>

> If that's not what's going on here, please post a copy of the

> certificate that the server's using so that we can have a look.

>

> HTH,

>

> Nalin



__________________________________________________ _______________

Use video conversation to talk face-to-face with Windows Live Messenger.

http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_me ssenger_video_072008




--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-25-2008, 08:02 AM
Dharmin Mandalia
 
Default TLS Issue

Hello

commented out "ssl start_tls" and added "ssl on" , in ldap.conf file get below errors in /var/log/secure file :-


Jul 24 15:55:40 matrix sshd[2480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=matrix.trues.co.uk user=test1
Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: reconnecting to LDAP server...
Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jul 24 15:55:42 matrix sshd[2480]: Failed password for test1 from 192.168.1.129 port 59436 ssh2


where the server matrix is FDS what I did was from FDS "ssh matrix.trues.co.uk -l test1" where test1 users exists in ldap dir

Regards
Dharmin



Hi,

Can you check What happens if you specify

ssl start_tls

instead of "ssl on"

Regards
Niranjan


On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia
wrote:

>
> Hello Nalin and all
>
> I just added "ssl on" to below /etc/ldap.conf file and get below error
> msg in var/log/secure file :-
>
>
> sshd[6212]: pam_unix(sshd:session): session closed for user test1
> sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
> sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2
> sshd[6248]: pam_unix(sshd:session): session opened for user test1 by
> (uid=0)
> sshd[6248]: pam_unix(sshd:session): session closed for user test1
> sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.1.1 user=test1
> sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> shd[6284]: pam_ldap: reconnecting to LDAP server...
> sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2
>
> With "ssl on" in ldap.conf, am unable to login via ssh
>
> any helpers please...
>
> regards
> Dharmin
>
>
>
> ----------------------------------------
>> Date: Thu, 24 Jul 2008 11:26:46 -0400
>> From: [EMAIL PROTECTED]
>> To: [EMAIL PROTECTED]
>> CC: fedora-directory-users@redhat.com
>> Subject: Re: [Fedora-directory-users] TLS Issue
>>
>> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:
>>> I've enabled TLS and am getting below error msg's in /var/log/secure
> file on Fedora 9, which is my newly configured FDS , if disable TLS , am
> able to ssh onto the FDS server and with TLS enabled unable to login via
> ssh.
>> [snip]
>>> sshd[5487]: nss_ldap: could not search LDAP server - Server is
> unavailable
>> [snip]
>>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-
>> [snip]
>>> ssl start_tls
>>> tls_checkpeer yes
>>> tls_cacertfile /etc/openldap/cacerts/cacert.asc
>>> pam_password md5
>>> uri ldap://127.0.0.1/
>>> tls_cacertdir /etc/openldap/cacerts
>>
>> If you're using SSL or TLS, the LDAP client library is going to compare
>> the names in the certificate that the server uses against the value that
>> was given in the client's configuration (in this case "127.0.0.1"), and
>> it looks like they're not matching up here.
>>
>> Typically the certificate uses an actual hostname as a "CN" value in its
>> subject, so you'd need to specify the server URI using a hostname rather
>> than an IP address to make sure that they match.
>>
>> If that's not what's going on here, please post a copy of the
>> certificate that the server's using so that we can have a look.
>>
>> HTH,
>>
>> Nalin
>

__________________________________________________ _______________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_me ssenger_video_072008

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 07-26-2008, 06:13 AM
"mallapadi niranjan"
 
Default TLS Issue

On Fri, Jul 25, 2008 at 1:32 PM, Dharmin Mandalia <dharmin98@hotmail.com> wrote:



Hello



commented out "ssl start_tls" and added "ssl on" , in ldap.conf file *get below errors in /var/log/secure file :-





Jul 24 15:55:40 matrix sshd[2480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=matrix.trues.co.uk *user=test1

Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: reconnecting to LDAP server...

Jul 24 15:55:40 matrix sshd[2480]: pam_ldap: ldap_simple_bind Can't contact LDAP server

Jul 24 15:55:42 matrix sshd[2480]: Failed password for test1 from 192.168.1.129 port 59436 ssh2


What do you see in the FDS logs* (tail /var/log/dirsrv/slapd-<instance-name>/access
Can you check the basic things

1. Is the DIrectory server running on port 636 (netstat -tlnp | grep 636)


2. If you do ldapsearch -x -ZZ -b "your basedn" are you able to search

3. Does getent passwd and getent group enumerate users on the client ?

Regards
Niranjan





where the server matrix is FDS *what I did was from FDS *"ssh matrix.trues.co.uk -l test1" *where test1 users exists in ldap dir



Regards

Dharmin







Hi,



Can you check What happens if you specify



ssl start_tls



instead of "ssl on"



Regards

Niranjan





On Thu, Jul 24, 2008 at 9:29 PM, Dharmin Mandalia

wrote:



>

> Hello *Nalin and all

>

> I just added "ssl *on" *to below /etc/ldap.conf file and get below error

> msg in var/log/secure file :-

>

>

> sshd[6212]: pam_unix(sshd:session): session closed for user test1

> sshd[6248]: pam_unix(sshd:auth): authentication failure; logname= uid=0

> euid=0 tty=ssh ruser= rhost=192.168.1.1 *user=test1

> sshd[6248]: Accepted password for test1 from 192.168.1.1 port 47171 ssh2

> sshd[6248]: pam_unix(sshd:session): session opened for user test1 by

> (uid=0)

> sshd[6248]: pam_unix(sshd:session): session closed for user test1

> sshd[6284]: pam_unix(sshd:auth): authentication failure; logname= uid=0

> euid=0 tty=ssh ruser= rhost=192.168.1.1 *user=test1

> sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server

> shd[6284]: pam_ldap: reconnecting to LDAP server...

> sshd[6284]: pam_ldap: ldap_simple_bind Can't contact LDAP server

> sshd[6284]: Failed password for test1 from 192.168.1.1 port 47172 ssh2

>

> With "ssl on" in ldap.conf, am unable to login via ssh

>

> any helpers please...

>

> regards

> Dharmin

>

>

>

> ----------------------------------------

>> Date: Thu, 24 Jul 2008 11:26:46 -0400

>> From: [EMAIL PROTECTED]

>> To: [EMAIL PROTECTED]

>> CC: fedora-directory-users@redhat.com

>> Subject: Re: [Fedora-directory-users] TLS Issue

>>

>> On Thu, Jul 24, 2008 at 03:11:59PM +0000, Dharmin Mandalia wrote:

>>> I've enabled TLS and am getting below error msg's in /var/log/secure

> file on Fedora 9, which is my newly configured FDS , if disable TLS , am

> able to ssh onto the FDS server and with TLS enabled unable to login via

> ssh.

>> [snip]

>>> sshd[5487]: nss_ldap: could not search LDAP server - Server is

> unavailable

>> [snip]

>>> /etc/ldap.conf file on Fedora 9, (FDS server ) shows as :-

>> [snip]

>>> ssl start_tls

>>> tls_checkpeer yes

>>> tls_cacertfile */etc/openldap/cacerts/cacert.asc

>>> pam_password md5

>>> uri ldap://127.0.0.1/

>>> tls_cacertdir /etc/openldap/cacerts

>>

>> If you're using SSL or TLS, the LDAP client library is going to compare

>> the names in the certificate that the server uses against the value that

>> was given in the client's configuration (in this case "127.0.0.1"), and

>> it looks like they're not matching up here.

>>

>> Typically the certificate uses an actual hostname as a "CN" value in its

>> subject, so you'd need to specify the server URI using a hostname rather

>> than an IP address to make sure that they match.

>>

>> If that's not what's going on here, please post a copy of the

>> certificate that the server's using so that we can have a look.

>>

>> HTH,

>>

>> Nalin

>



__________________________________________________ _______________

Use video conversation to talk face-to-face with Windows Live Messenger.

http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_me ssenger_video_072008




--

Fedora-directory-users mailing list

Fedora-directory-users@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 01:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org