Package: libpam-ldap
Version: 184-4.2
Severity: important
After migrating from etch to lenny I can no longer use the the stanza
uri ldaps://10.76.195.82
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/jp09_cert.pem
in /etc/pam_ldap.conf. If I do the authentication of users fails with
the following messages
in /var/log/auth.log
Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: reconnecting to LDAP server...
Oct 10 04:37:23 p2 sshd[13066]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Oct 10 04:37:26 p2 sshd[13066]: Failed password for jprenze from ...
With
tls_checkpeer no
it works, but seems less secure.
But the certificate works with the server:
=========================================================
p2:/etc/ssl/certs# gnutls-cli -p 636 --x509cafile
/etc/ssl/certs/jp09_cert.pem 10.76.195.82
Processed 1 CA certificate(s).
Resolving '10.76.195.82'...
Connecting to '10.76.195.82:636'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches '10.76.195.82'.
# valid since: Fri Oct 9 18:57:47 CEST 2009
# expires at: Thu Jul 5 18:57:47 CEST 2012
# fingerprint: 9B:B2:63:7E:33:47:61:99:C1:9E:5C:59:A9:B0:5B:77
# Subject's DN:
CN=10.76.195.82,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University
Goettingen,OU=Buesgen
Institute
# Issuer's DN: CN=Juergen
Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University
Goettingen,OU=Buesgen
Institute
- Certificate[1] info:
# valid since: Fri Oct 9 18:56:59 CEST 2009
# expires at: Thu Jul 5 18:56:59 CEST 2012
# fingerprint: 3C:40:EF:D2:BC:35:71:57:0A:77:56:CA:9B:A0:54:AB
# Subject's DN: CN=Juergen
Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University
Goettingen,OU=Buesgen
Institute
# Issuer's DN: CN=Juergen
Prenzel,ST=Niedersachsen,C=DE,email=jpre...@gwdg.de,O=University
Goettingen,OU=Buesgen
Institute
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
==============================================
I guess that libpam-ldap somehow ignores the tls_cacertfile parameter.
Juergen Prenzel
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-ldap depends on:
ii debconf [debconf-2.0] 1.5.24 Debian configuration
management sy
ii libc6 2.7-18 GNU C Library: Shared
libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication
Modules l
libpam-ldap recommends no packages.
Versions of packages libpam-ldap suggests:
ii libnss-ldapd [libnss-ldap] 0.6.7.1 NSS module for using LDAP
as a nam
-- debconf information:
* shared/ldapns/base-dn: dc=example,dc=net
* shared/ldapns/ldap-server: ldapi:///
libpam-ldap/pam_password: crypt
libpam-ldap/binddn: cn=proxyuser,dc=example,dc=net
* libpam-ldap/rootbinddn: cn=manager,dc=example,dc=net
* libpam-ldap/dbrootlogin: true
libpam-ldap/override: true
* shared/ldapns/ldap_version: 3
* libpam-ldap/dblogin: false
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
