I have a little problem with auth against LDAP. Everything works fine on the system, IMAP, POP, login, SMB etc. etc.. But when trying to auth via a VMware service, I get this in my syslog: vmware-authd[7010]: pam_ldap: ldap_starttls_s: Connect error My /etc/pam.d/vmware-authd conatins: auth include common-auth account include common-account password include common-password session include common-session Ideas please? -- Anders Norrbring Norrbring Consulting -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Anders Norrbring skrev:
I have a little problem with auth against LDAP. Everything works fine on the system, IMAP, POP, login, SMB etc. etc.. But when trying to auth via a VMware service, I get this in my syslog:
vmware-authd[7010]: pam_ldap: ldap_starttls_s: Connect error
My /etc/pam.d/vmware-authd conatins:
auth include common-auth account include common-account password include common-password session include common-session
Ideas please?
I just don't get it.. Every other pam modules works just fine for me, and all users are stored in the LDAP database. All users can use any service that verifies through PAM. But not the vmware... I've also changed the /etc/pam.d/vmware-authd file to read like this: #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session Still I get the error in syslog as soon as it's used: vmware-authd[23513]: pam_ldap: ldap_starttls_s: Connect error That error doesn't show for any of the other services. Also, it only happens for other users than 'root'. When testing with 'root', I get access instantly and trying with another user, it renders the problem above, and I don't get access. -- Anders Norrbring Norrbring Consulting -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Anders Norrbring skrev:
I have a little problem with auth against LDAP. Everything works fine on the system, IMAP, POP, login, SMB etc. etc.. But when trying to auth via a VMware service, I get this in my syslog:
vmware-authd[7010]: pam_ldap: ldap_starttls_s: Connect error
When you disable SSL, does it work with a user other than root? You could maybe try to disable the verification of the server identity by putting "tls_checkpeer no" in /etc/ldap.conf: Is it possible that you maybe have an ldaprc file that override your global value that would explain that it works with root but not with other users? Gaël
Gaël Lams skrev:
Anders Norrbring skrev:
I have a little problem with auth against LDAP. Everything works fine on the system, IMAP, POP, login, SMB etc. etc.. But when trying to auth via a VMware service, I get this in my syslog:
vmware-authd[7010]: pam_ldap: ldap_starttls_s: Connect error
When you disable SSL, does it work with a user other than root?
You could maybe try to disable the verification of the server identity by putting "tls_checkpeer no" in /etc/ldap.conf: Is it possible that you maybe have an ldaprc file that override your global value that would explain that it works with root but not with other users?
It must be in the VMware auth daemon somehow.. I just don't know where... If I disable TLS, it works just fine. No ldaprc file anywhere... I also tested this on an absolutely clean and fresh installation of SLES10 RC2.5 and the same problem arised there. So, my conclusion is that neither I nor SUSE is the problem, but VMware is, I've filed a bug report with them to see what they say. Anders. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
It must be in the VMware auth daemon somehow.. I just don't know where... If I disable TLS, it works just fine. No ldaprc file anywhere...
I also tested this on an absolutely clean and fresh installation of SLES10 RC2.5 and the same problem arised there.
So, my conclusion is that neither I nor SUSE is the problem, but VMware is, I've filed a bug report with them to see what they say.
Could you please let me know if/when you have a feedback from VMware? I've for the time being only 2 esx servers but configuring pam-ldap for the vm* services is something I will do sooner or later. Regards, Gaël
Gaël Lams skrev:
It must be in the VMware auth daemon somehow.. I just don't know where... If I disable TLS, it works just fine. No ldaprc file anywhere...
I also tested this on an absolutely clean and fresh installation of SLES10 RC2.5 and the same problem arised there.
So, my conclusion is that neither I nor SUSE is the problem, but VMware is, I've filed a bug report with them to see what they say.
Could you please let me know if/when you have a feedback from VMware? I've for the time being only 2 esx servers but configuring pam-ldap for the vm* services is something I will do sooner or later.
I will... I don't think this will affect the ESX servers as they use their own port of RHEL Linux as the base host O/S. The use their own user verification inside ESX, and it's not dependant of any other underlying operating system like the VMware Server is, it's running on top of an existing O/S. I have never had any problems with my ESX anyway, running both the web based, client based and Virtual Center without any problems like this. Then again, I've never tried to make ESX verify users on an external LDAP server.... Anders. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I don't think this will affect the ESX servers as they use their own port of RHEL Linux as the base host O/S. The use their own user verification inside ESX, and it's not dependant of any other underlying operating system like the VMware Server is, it's running on top of an existing O/S.
Actually I thought your problem was with esx when I read "vmware-authd". Never use VMware Server. Is it based on a vmware_home_made linux-based OS? Gaël
Gaël Lams skrev:
I don't think this will affect the ESX servers as they use their own port of RHEL Linux as the base host O/S. The use their own user verification inside ESX, and it's not dependant of any other underlying operating system like the VMware Server is, it's running on top of an existing O/S.
Actually I thought your problem was with esx when I read "vmware-authd".
Nope.. And the vmware-authd is a component in all VMware products, since it's used for user verification.
Never use VMware Server. Is it based on a vmware_home_made linux-based OS?
Eeeh.. No.. :) VMware Server 1.0 and VMware GSX doesn't come with an O/S. You install them on top of your existing Linux or Windows installation. VMware ESX on the other hand is a complete solution where VMware took a RedHat RHEL base and modified it heavily to be incorporated in the ESX product. It's still a Linux, but with so many modifications that it's more a separate product. All made by VMware. Anders Norrbring -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
I have a little problem with auth against LDAP. Everything works fine on the system, IMAP, POP, login, SMB etc. etc.. But when trying to auth via a VMware service, I get this in my syslog: vmware-authd[7010]: pam_ldap: ldap_starttls_s: Connect error When you disable SSL, does it work with a user other than root? You could maybe try to disable the verification of the server identity by putting "tls_checkpeer no" in /etc/ldap.conf: Is it possible that you maybe have an ldaprc file that override your global value that would explain that it works with root but not with other users? It must be in the VMware auth daemon somehow.. I just don't know where... If I disable TLS, it works just fine. No ldaprc file anywhere...
Make sure hostname resolution works properly, for both forward and reverse, from the VMware host. And that the VMware has permissions to the appropriate key/cert files.
That error doesn't show for any of the other services. Also, it only happens for other users than 'root'. When testing with 'root', I get access instantly and trying with another user, it renders the problem above, and I don't get access.
I was thinking that maybe you define "rootbinddn" in /etc/ldap.conf" for the distinguished name to bind to the server with when the user ID is root? That could explain the difference between "root" and normal login access. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (3)
-
Adam Williams
-
Anders Norrbring
-
Gaël Lams