Date: Sat, 19 Mar 2011 16:49:30 +0100 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: Dan Nelson <dnelson@allantgroup.com> Cc: freebsd-questions@freebsd.org Subject: Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for Message-ID: <4D84D08A.8090700@mail.zedat.fu-berlin.de> In-Reply-To: <20110318160257.GD44561@dan.emsphone.com> References: <4D833D3C.7080804@zedat.fu-berlin.de> <20110318160257.GD44561@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/18/11 17:02, Dan Nelson wrote: > In the last episode (Mar 18), O. Hartmann said: >> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent >> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an >> UBUNTU 10.10 server (using openldap 2.4.23). >> >> Most of the installation on the Ubuntu server has been successfully done >> (I'm not familiar with Linux, but it seems that things like pam and ldap >> are quite similar to FreeBSD's installation). >> >> From the Linux/Ubuntu server, I'm able to get all users and groups via >> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up >> user is successfully. >> >> But when it comes to a login via sshd, login fails with this error >> (loged on Linux Ubuntu in /var/log/auth.log): >> >> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 >> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) > > "Confidentiality required" means that the server is refusing to authenticate > over a non-encrypted connection. Try switching pam_ldap to ldaps (in your > pam ldap.conf, either change your "uri" lines to ldaps:// or add the line > "ssl on") and see if that works. Well, I tried several things now and I do not understand this world anymore :-( For short again: The conceptional setup I use is a working concept within all FreeBSD boxes around here autheticating users via our OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64). On the Linux/Ubuntu 10.10 server I tried the following: ldapsearch: ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: TLS confidentiality required ldapsearch -xZ: ...listing of the DIT of the LDAP server looking up an user ID definitely within the DIT: positive response from the LDAP server. I also can obtain passwd/group informations via getent passwd/group. I also checked the connection to the LDAPserver with the SSL credetials by openssl s_client -connect LDAPserver:636 -showcerts and receive a lot of informations CONNECTED(00000003) depth=1 /C [...] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST [...] -----BEGIN CERTIFICATE----- MIIDljCCAv+gAwIBA [...] -----END CERTIFICATE----- 1 s:/C [...] i:/C=DE [...] -----BEGIN CERTIFICATE----- MIIDojCC[...] -----END CERTIFICATE----- --- Server certificate subject=/C [...] issuer=/C [...] --- No client certificate CA names sent --- SSL handshake has read 2175 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3 Session-ID-ctx: Master-Key: XXXXX Key-Arg : None TLS session ticket: 0000 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 .H........u.O..i 0010 - 37 a5 4f c7 [...] Start Time: 1300547707 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- I guess this signals everything is all right with the certificate connecting via SSL/TLS. I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done via apt-get/installation of the appropriate tools and facilities (ldap, pam_ldap, nss_ldap). I've no idea what's going wrong ... There is also some kind of weirdness around here. While login in via ssh (or better: trying to login via ssh), I received this: Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string from 125.88.109.121 Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from XXX.XXX.XXX.XXX port 52686 ssh2 Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session closed for user root IP 125.88.109.121 is located in China, 125.88.109.121 Server Details IP address: 125.88.109.121 Server Location: Guangzhou, Guangdong in China ISP: ChinaNet Guangdong Province Network
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D84D08A.8090700>