Date: Sat, 19 Mar 2011 21:16:01 +0100 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: Dan Nelson <dnelson@allantgroup.com> Cc: freebsd-questions@freebsd.org Subject: Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for Message-ID: <4D850F01.6080004@mail.zedat.fu-berlin.de> In-Reply-To: <20110318160257.GD44561@dan.emsphone.com> References: <4D833D3C.7080804@zedat.fu-berlin.de> <20110318160257.GD44561@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/18/11 17:02, Dan Nelson wrote: > In the last episode (Mar 18), O. Hartmann said: >> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent >> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an >> UBUNTU 10.10 server (using openldap 2.4.23). >> >> Most of the installation on the Ubuntu server has been successfully done >> (I'm not familiar with Linux, but it seems that things like pam and ldap >> are quite similar to FreeBSD's installation). >> >> From the Linux/Ubuntu server, I'm able to get all users and groups via >> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up >> user is successfully. >> >> But when it comes to a login via sshd, login fails with this error >> (loged on Linux Ubuntu in /var/log/auth.log): >> >> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 >> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) > > "Confidentiality required" means that the server is refusing to authenticate > over a non-encrypted connection. Try switching pam_ldap to ldaps (in your > pam ldap.conf, either change your "uri" lines to ldaps:// or add the line > "ssl on") and see if that works. > I managed it! My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the follwoing entries, which seems to confuse Linux (but not the FreeBSD clients, no matter why): olcSecurity: simple_bind=256 After reducing this security strenth value down to olcSecurity: simple_bind=128 everything works fine so far. At the moment, I have no explanation for this. Either FreeBSD clients are always binding with a higher security strength level or ignoring this. Thanks, Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D850F01.6080004>