Hi all, I have gotten nss_ldap and pam_ldap to work. I can su to any user on my LDAP server. However, I need to be able to ssh in as any user with a valid shell. Right now I can only ssh as a local user (root is the only one that exists). I have used the pam.d files that come with pam_ldap, including the sshd one. I get asked for the password 3 times and then it fails, even though I am putting in the correct password. If I run sshd in debug mode, it says that it is rejecting an illegal user. Using SuSE 9.1 updated with the latest openLDAP2 running on the same server. Any help or suggestions are appreciated! Misty
Misty wrote regarding '[SLE] pam_ldap and ssh' on Thu, Sep 23 at 15:50:
Hi all,
I have gotten nss_ldap and pam_ldap to work. I can su to any user on my LDAP server. However, I need to be able to ssh in as any user with a valid shell. Right now I can only ssh as a local user (root is the only one that exists). I have used the pam.d files that come with pam_ldap, including the sshd one. I get asked for the password 3 times and then it fails, even though I am putting in the correct password. If I run sshd in debug mode, it says that it is rejecting an illegal user.
Using SuSE 9.1 updated with the latest openLDAP2 running on the same server.
Any help or suggestions are appreciated!
Crank up the debug level on your LDAP server and see if it's being contacted or not. There are a few things that could be wrong, but common are 1) messed up pam.d/whatever file or 2) messed up auth settings in slapd.conf. If you turn the debug level up a little in slapd.conf, you'll see what, if anything, the client is sending over. That will probably help some... --Danny
On Thursday 23 September 2004 15:59, Danny Sauer wrote:
Crank up the debug level on your LDAP server and see if it's being contacted or not. There are a few things that could be wrong, but ... <snip> ...
--Danny
You are right! Here is the output I am getting: TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 conn=0 fd=10 closed Any ideas about this? Misty
Misty wrote regarding 'Re: [SLE] pam_ldap and ssh' on Fri, Sep 24 at 09:48:
On Thursday 23 September 2004 15:59, Danny Sauer wrote:
Crank up the debug level on your LDAP server and see if it's being contacted or not. There are a few things that could be wrong, but ... <snip> ...
--Danny
You are right! Here is the output I am getting: TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 conn=0 fd=10 closed
Any ideas about this?
This is just a guess, but from "unknown ca" I'm guessing that you used an unknown certificate authority. :) Again, I'm just guessing here, but do you have the correct files on the LDAP server to get TLS conenctions working? Have you verified that TLS works by connecting with another program, like gq? I'd look over the SSL setup stuff on the LDAP server and make sure that's all perfect... The setup stes are documented all over the internet, IIRC. I can't help much more than Google, though, as I only use LDAP over a trusted network and thus haven't put any time into configuring any transport-level security. :) --Danny, who should learn about LDAP over SSL someday, though
The problem is NSCD! As soon as I turn it off, the problem goes away. Not sure what to make of that at all. Misty On Friday 24 September 2004 11:31, Danny Sauer wrote:
Misty wrote regarding 'Re: [SLE] pam_ldap and ssh' on Fri, Sep 24 at 09:48:
On Thursday 23 September 2004 15:59, Danny Sauer wrote:
Crank up the debug level on your LDAP server and see if it's being contacted or not. There are a few things that could be wrong, but
... <snip> ...
--Danny
You are right! Here is the output I am getting: TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052 conn=0 fd=10 closed
Any ideas about this?
This is just a guess, but from "unknown ca" I'm guessing that you used an unknown certificate authority. :) Again, I'm just guessing here, but do you have the correct files on the LDAP server to get TLS conenctions working? Have you verified that TLS works by connecting with another program, like gq? I'd look over the SSL setup stuff on the LDAP server and make sure that's all perfect... The setup stes are documented all over the internet, IIRC.
I can't help much more than Google, though, as I only use LDAP over a trusted network and thus haven't put any time into configuring any transport-level security. :)
--Danny, who should learn about LDAP over SSL someday, though
participants (2)
-
Danny Sauer
-
Misty Stanley-Jones