User authentication on Linux with FreeBSD OpenLDAP backend
fails: pam_ldap: error trying to bind as user/Failed password for
O. Hartmann
ohartman at mail.zedat.fu-berlin.de
Sat Mar 19 15:49:32 UTC 2011
On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>> From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.
Well,
I tried several things now and I do not understand this world anymore :-(
For short again: The conceptional setup I use is a working concept
within all FreeBSD boxes around here autheticating users via our
OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64).
On the Linux/Ubuntu 10.10 server I tried the following:
ldapsearch:
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: TLS confidentiality required
ldapsearch -xZ:
...listing of the DIT of the LDAP server
looking up an user ID definitely within the DIT: positive response from
the LDAP server.
I also can obtain passwd/group informations via
getent passwd/group.
I also checked the connection to the LDAPserver with the SSL credetials by
openssl s_client -connect LDAPserver:636 -showcerts
and receive a lot of informations
CONNECTED(00000003)
depth=1 /C [...]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST [...]
-----BEGIN CERTIFICATE-----
MIIDljCCAv+gAwIBA [...]
-----END CERTIFICATE-----
1 s:/C [...]
i:/C=DE [...]
-----BEGIN CERTIFICATE-----
MIIDojCC[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C [...]
issuer=/C [...]
---
No client certificate CA names sent
---
SSL handshake has read 2175 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3
Session-ID-ctx:
Master-Key: XXXXX
Key-Arg : None
TLS session ticket:
0000 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69
.H........u.O..i
0010 - 37 a5 4f c7 [...]
Start Time: 1300547707
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
I guess this signals everything is all right with the certificate
connecting via SSL/TLS.
I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done
via apt-get/installation of the appropriate tools and facilities (ldap,
pam_ldap, nss_ldap). I've no idea what's going wrong ...
There is also some kind of weirdness around here. While login in via ssh
(or better: trying to login via ssh), I received this:
Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string
from 125.88.109.121
Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from
XXX.XXX.XXX.XXX port 52686 ssh2
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
closed for user root
IP 125.88.109.121 is located in China, 125.88.109.121 Server Details
IP address:
125.88.109.121
Server Location:
Guangzhou, Guangdong in China
ISP:
ChinaNet Guangdong Province Network
More information about the freebsd-questions
mailing list