Re: ldap user login attempt kills slapd service

[Quanah Gibson-Mount]

I suggest avoiding packages provided by RH.  This has been noted numerous 
times on the list.  If you are unable to build OpenLDAP yourself, you may 
want to look at the packages from the LTB project.  If you require support, 
you may wish to contact Symas.





--Quanah

--On Wednesday, May 11, 2016 12:19 AM + "Real, Elizabeth (392K)" 
 wrote:





Quanah,


Because I had an ssh issue while using openldap 2.4.39 and it was
suggested I used openldap 2.4.40 that came with rhel72 instead. What do
you suggest?


Thank you,
Liz
_
From: Quanah Gibson-Mount 
Sent: Tuesday, May 10, 2016 4:03 PM
Subject: Re: ldap user login attempt kills slapd service
To: , Real, Elizabeth (392K)



--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)"
 wrote:



Openldap gurus:


Here is my setup,


LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
Both servers are configured with multi-master replication. Ldaps is
enabled and a ppolicy applied.


The RHEL packages of OpenLDAP are known broken. Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc






--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: ldap user login attempt kills slapd service

[Real, Elizabeth (392K)]

Quanah,

Because I had an ssh issue while using openldap 2.4.39 and it was suggested I 
used openldap 2.4.40 that came with rhel72 instead. What do you suggest?

Thank you,
Liz
_
From: Quanah Gibson-Mount mailto:qua...@zimbra.com>>
Sent: Tuesday, May 10, 2016 4:03 PM
Subject: Re: ldap user login attempt kills slapd service
To: mailto:openldap-technical@openldap.org>>, 
Real, Elizabeth (392K) 
mailto:elizabeth.r...@jpl.nasa.gov>>


--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)"
mailto:elizabeth.r...@jpl.nasa.gov>> wrote:

>
> Openldap gurus:
>
>
> Here is my setup,
>
>
> LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
> Both servers are configured with multi-master replication. Ldaps is
> enabled and a ppolicy applied.

The RHEL packages of OpenLDAP are known broken. Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra :: the leader in open source messaging and collaboration
A division of Synacor, Inc

Re: ldap user login attempt kills slapd service

[Quanah Gibson-Mount]

--On Tuesday, May 10, 2016 11:58 PM + "Real, Elizabeth (392K)" 
 wrote:




Openldap gurus:


Here is my setup,


LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40.
Both servers are configured with multi-master replication. Ldaps is
enabled and a ppolicy applied.


The RHEL packages of OpenLDAP are known broken.  Why are you using them?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

ldap user login attempt kills slapd service

[Real, Elizabeth (392K)]

Openldap gurus:

Here is my setup,

LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both 
servers are configured with multi-master replication. Ldaps is enabled and a 
ppolicy applied.

LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
openldap client 2.4.40.

I have been troubleshooting this problem for a while and can’t figure out why 
everytime I try to login to an ldap client with a test user account the slapd 
service on only one of my ldap servers gets killed.

Both getent and ldapsearch return the expected information when ran on the ldap 
client:
ldapclient ~]# getent passwd realtest
realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh

ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
'(uid=realtest)'
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (uid=realtest)
# requesting: ALL
#

# realtest, People, cluster.sec312
dn: uid=realtest,ou=People,dc=cluster,dc=sec312
gidNumber: 312
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: realtest
loginShell: /bin/tcsh
homeDirectory: /home/real
cn: Liz RealTest
uidNumber: 1004

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

LDAP SERVER /VAR/LOG/SECURE:
serverA journal: Suppressed 19192 messages from /system.slice/slapd.service
serverA journal: Suppressed 8449 messages from /system.slice/slapd.service
serverA systemd: slapd.service: main process exited, code=killed, status=6/ABRT
serverA systemd: Unit slapd.service entered failed state.
serverA systemd: slapd.service failed.

LDAP CLIENT  /VAR/LOG/SECURE:
ldapclient sshd[122938]: pam_sss(sshd:auth): authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=node12.cluster.sec312 user=realtest
ldapclient sshd[122938]: pam_sss(sshd:auth): received for user realtest: 7 
(Authentication failure)
ldapclient sshd[122938]: pam_ldap(sshd:auth): Authentication failure; 
user=realtest
ldapclient sshd[122936]: error: PAM: Authentication failure for realtest from 
node12.cluster.sec312

ATTEMPT TO SSH AS TEST USER TO LDAP CLIENT:
% ssh -v realtest@ldapclient
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Connecting to ldapclient [] port 22.
debug1: Connection established.
debug1: could not open key file '/etc/ssh/ssh_host_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
denied
debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
denied
debug1: identity file /home/real/.ssh/id_rsa type -1
debug1: identity file /home/real/.ssh/id_rsa-cert type -1
debug1: identity file /home/real/.ssh/id_dsa type -1
debug1: identity file /home/real/.ssh/id_dsa-cert type -1
debug1: identity file /home/real/.ssh/id_ecdsa type -1
debug1: identity file /home/real/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/real/.ssh/id_ed25519 type -1
debug1: identity file /home/real/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 14:c5:c2:60:29:ce:99:aa:67:41:a6:6a:11:2c:ca:86
debug1: Host 'ldapclient' is known and matches the ECDSA host key.
debug1: Found key in /home/real/.ssh/known_hosts:22
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,hostbased
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide