On 03/18/11 17:02, Dan Nelson wrote:
In the last episode (Mar 18), O. Hartmann said:
I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
UBUNTU 10.10 server (using openldap 2.4.23).
Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).
From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.
But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):
Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user
"uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
"Confidentiality required" means that the server is refusing to authenticate
over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
"ssl on") and see if that works.
I managed it!
My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the
follwoing entries, which seems to confuse Linux (but not the FreeBSD
clients, no matter why):
olcSecurity: simple_bind=256
After reducing this security strenth value down to
olcSecurity: simple_bind=128
everything works fine so far.
At the moment, I have no explanation for this. Either FreeBSD clients
are always binding with a higher security strength level or ignoring this.
Thanks,
Oliver
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
