Date: Fri, 18 Mar 2011 19:27:55 +0100 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: Dan Nelson <dnelson@allantgroup.com> Cc: freebsd-questions@freebsd.org Subject: Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for Message-ID: <4D83A42B.5050701@zedat.fu-berlin.de> In-Reply-To: <20110318160257.GD44561@dan.emsphone.com> References: <4D833D3C.7080804@zedat.fu-berlin.de> <20110318160257.GD44561@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>> From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.
Well,
in /etc/ldap.conf there is "ssl start_tls" and this should do the thing.
I use nearly exact the same configuration as I do on all the FreeBSD
boxes connecting to the same OpenLDAP server.
I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
looking deeper into the debug stuff with
'ldapsaerach -xZZ -h hostIP' I receive at the end
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)
Obviously, my certificate (self signed, openssl verify cacert.pem gives:
OK) isn't found or there is something wrong with it. The certificate is
located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's
/etc/ldap.conf there is this line:
tls_cacertfile usr/local/etc/cacerts/cacert.pem
is referring to the certificate.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D83A42B.5050701>