User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

O. Hartmann ohartman at
Sat Mar 19 15:49:32 UTC 2011

On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>   From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.

I tried several things now and I do not understand this world anymore :-(

For short again: The conceptional setup I use is a working concept 
within all FreeBSD boxes around here autheticating users via our 
OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64).

On the Linux/Ubuntu 10.10 server I tried the following:

ldap_sasl_interactive_bind_s: Confidentiality required (13)
         additional info: TLS confidentiality required

ldapsearch -xZ:
...listing of the DIT of the LDAP server

looking up an user ID definitely within the DIT: positive response from 
the LDAP server.

I also can obtain passwd/group informations via
getent passwd/group.

I also checked the connection to the LDAPserver with the SSL credetials by

openssl s_client -connect LDAPserver:636 -showcerts

and receive a lot of informations
depth=1 /C [...]

verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
0 s:/C=DE/ST [...]
MIIDljCCAv+gAwIBA [...]
  1 s:/C [...]
i:/C=DE [...]
Server certificate
subject=/C [...]
issuer=/C [...]
No client certificate CA names sent
SSL handshake has read 2175 bytes and written 421 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
     Protocol  : TLSv1
     Cipher    : AES256-SHA
Master-Key: XXXXX
Key-Arg   : None
     TLS session ticket:
     0000 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 
     0010 - 37 a5 4f c7 [...]
     Start Time: 1300547707
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)

I guess this signals everything is all right with the certificate 
connecting via SSL/TLS.

I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done 
via apt-get/installation of the appropriate tools and facilities (ldap, 
pam_ldap, nss_ldap). I've no idea what's going wrong ...

There is also some kind of weirdness around here. While login in via ssh 
(or better: trying to login via ssh), I received this:

Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string 
Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from 
XXX.XXX.XXX.XXX port 52686 ssh2
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session 
opened for user root by (uid=0)
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session 
closed for user root

IP is located in China, Server Details
IP address:
Server Location:
Guangzhou, Guangdong in China
ChinaNet Guangdong Province Network

More information about the freebsd-questions mailing list