Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. Well, I tried several things now and I do not understand this world anymore :-( For short again: The conceptional setup I use is a working concept within all FreeBSD boxes around here autheticating users via our OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64). On the Linux/Ubuntu 10.10 server I tried the following: ldapsearch: ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: TLS confidentiality required ldapsearch -xZ: ...listing of the DIT of the LDAP server looking up an user ID definitely within the DIT: positive response from the LDAP server. I also can obtain passwd/group informations via getent passwd/group. I also checked the connection to the LDAPserver with the SSL credetials by openssl s_client -connect LDAPserver:636 -showcerts and receive a lot of informations CONNECTED(0003) depth=1 /C [...] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST [...] -BEGIN CERTIFICATE- MIIDljCCAv+gAwIBA [...] -END CERTIFICATE- 1 s:/C [...] i:/C=DE [...] -BEGIN CERTIFICATE- MIIDojCC[...] -END CERTIFICATE- --- Server certificate subject=/C [...] issuer=/C [...] --- No client certificate CA names sent --- SSL handshake has read 2175 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3 Session-ID-ctx: Master-Key: X Key-Arg : None TLS session ticket: - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 .Hu.O..i 0010 - 37 a5 4f c7 [...] Start Time: 1300547707 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- I guess this signals everything is all right with the certificate connecting via SSL/TLS. I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done via apt-get/installation of the appropriate tools and facilities (ldap, pam_ldap, nss_ldap). I've no idea what's going wrong ... There is also some kind of weirdness around here. While login in via ssh (or better: trying to login via ssh), I received this: Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string from 125.88.109.121 Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from XXX.XXX.XXX.XXX port 52686 ssh2 Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session closed for user root IP 125.88.109.121 is located in China, 125.88.109.121 Server Details IP address: 125.88.109.121 Server Location: Guangzhou, Guangdong in China ISP: ChinaNet Guangdong Province Network ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. I managed it! My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the follwoing entries, which seems to confuse Linux (but not the FreeBSD clients, no matter why): olcSecurity: simple_bind=256 After reducing this security strenth value down to olcSecurity: simple_bind=128 everything works fine so far. At the moment, I have no explanation for this. Either FreeBSD clients are always binding with a higher security strength level or ignoring this. Thanks, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com (Confidentiality required) Confidentiality required means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your uri lines to ldaps:// or add the line ssl on) and see if that works. Well, in /etc/ldap.conf there is ssl start_tls and this should do the thing. I use nearly exact the same configuration as I do on all the FreeBSD boxes connecting to the same OpenLDAP server. I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get ldap_start_tls: Connect error (-11) additional info: (unknown error code) looking deeper into the debug stuff with 'ldapsaerach -xZZ -h hostIP' I receive at the end TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Obviously, my certificate (self signed, openssl verify cacert.pem gives: OK) isn't found or there is something wrong with it. The certificate is located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's /etc/ldap.conf there is this line: tls_cacertfile usr/local/etc/cacerts/cacert.pem is referring to the certificate. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org