User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

O. Hartmann ohartman at zedat.fu-berlin.de
Fri Mar 18 18:27:57 UTC 2011 

On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>>   From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.

Well,

in /etc/ldap.conf there is "ssl start_tls" and this should do the thing. 
I use nearly exact the same configuration as I do on all the FreeBSD 
boxes connecting to the same OpenLDAP server.

I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get

ldap_start_tls: Connect error (-11)
         additional info: (unknown error code)

looking deeper into the debug stuff with

'ldapsaerach -xZZ -h hostIP' I receive at the end

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
         additional info: (unknown error code)


Obviously, my certificate (self signed, openssl verify cacert.pem gives:
OK) isn't found or there is something wrong with it. The certificate is 
located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's 
/etc/ldap.conf there is this line:
tls_cacertfile usr/local/etc/cacerts/cacert.pem

is referring to the certificate.

More information about the freebsd-questions mailing list