From owner-freebsd-questions@FreeBSD.ORG Fri Mar 18 18:27:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B1B5106566C for ; Fri, 18 Mar 2011 18:27:57 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id EC8568FC0A for ; Fri, 18 Mar 2011 18:27:56 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) with esmtp (envelope-from ) id <1Q0eOx-0004o6-MW>; Fri, 18 Mar 2011 19:27:55 +0100 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) with esmtpsa (envelope-from ) id <1Q0eOx-0001Ep-K8>; Fri, 18 Mar 2011 19:27:55 +0100 Message-ID: <4D83A42B.5050701@zedat.fu-berlin.de> Date: Fri, 18 Mar 2011 19:27:55 +0100 From: "O. Hartmann" Organization: Freie =?ISO-8859-1?Q?Universit=E4t_Berlin?= User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.15) Gecko/20110307 Thunderbird/3.1.9 MIME-Version: 1.0 To: Dan Nelson References: <4D833D3C.7080804@zedat.fu-berlin.de> <20110318160257.GD44561@dan.emsphone.com> In-Reply-To: <20110318160257.GD44561@dan.emsphone.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Cc: freebsd-questions@freebsd.org Subject: Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Mar 2011 18:27:57 -0000 On 03/18/11 17:02, Dan Nelson wrote: > In the last episode (Mar 18), O. Hartmann said: >> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent >> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an >> UBUNTU 10.10 server (using openldap 2.4.23). >> >> Most of the installation on the Ubuntu server has been successfully done >> (I'm not familiar with Linux, but it seems that things like pam and ldap >> are quite similar to FreeBSD's installation). >> >> From the Linux/Ubuntu server, I'm able to get all users and groups via >> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up >> user is successfully. >> >> But when it comes to a login via sshd, login fails with this error >> (loged on Linux Ubuntu in /var/log/auth.log): >> >> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 >> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) > > "Confidentiality required" means that the server is refusing to authenticate > over a non-encrypted connection. Try switching pam_ldap to ldaps (in your > pam ldap.conf, either change your "uri" lines to ldaps:// or add the line > "ssl on") and see if that works. Well, in /etc/ldap.conf there is "ssl start_tls" and this should do the thing. I use nearly exact the same configuration as I do on all the FreeBSD boxes connecting to the same OpenLDAP server. I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get ldap_start_tls: Connect error (-11) additional info: (unknown error code) looking deeper into the debug stuff with 'ldapsaerach -xZZ -h hostIP' I receive at the end TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Obviously, my certificate (self signed, openssl verify cacert.pem gives: OK) isn't found or there is something wrong with it. The certificate is located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's /etc/ldap.conf there is this line: tls_cacertfile usr/local/etc/cacerts/cacert.pem is referring to the certificate.