<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6603.0"> <TITLE>RedHat Linux 2.1 SSL and LDAP issue</TITLE> </HEAD> <BODY>  Hi all I am not sure which mailing list to use. Someone said this list has the most Linux people, so I am trying my luck here. No one has reply me from the redhat-sysadmin-list@redhat.com mailing list ;-( I am enabling the local user to perform password authentication with some of our LDAP servers using the pam_ldap modules from nss_ldap package. Users use telnet/ftp/ssh/scp to logon to this RH Linux 2.1 system. We have 4 LDAP servers. Every 2 LDAP servers has a BigIP device in front of them. Two of the LDAP servers and one BigIP are for UAT, and the other two LDAP and one BigIP are for production. I added the pam_ldap entry into the /etc/pam.d/system-auth file, there is nothing else changed on the system - beside the /etc/ldap.conf file. I did the same on Linux 2.1 and 3.0. 3.0 has no issue at all, my problem is on Linux 2.1. Here is my system-auth file: <UL><UL> auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldauth.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=002 </UL></UL> On Linux 2.1, when SSL is disabled in /etc/ldap.conf, the system has no issue to use any LDAP servers and BigIP. The user can logon without any issue. When SSL is enabled (in /etc/ldap.conf) file, the system can only utilize the two UAT LDAP servers, but it can not communicate properly with the BigIP and also the two production servers. On the production LDAP log, I see the following: [07/Apr/2005:16:25:20 -0400] conn=302833 fd=188 slot=188 SSL connection from 172.26.30.52 to 172.26.30.13 [07/Apr/2005:16:25:20 -0400] conn=302833 op=-1 fd=188 closed error -12195 (unknown) - B1 The other error that I captured is running "sshd -d". When a user ssh to this Linux 2.1 system, the sshd show this error and disconnected. <UL><UL> debug1: userauth_banner: sent Failed none for a232524 from 10.37.63.30 port 38517 ssh2 debug1: userauth-request for user a232524 service ssh-connection method password debug1: attempt 1 failures 1 sshd: ../../../libraries/libldap/cyrus.c:418: ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)' failed. Aborted </UL></UL> Here is what I am using on the RH Linux 2.1 system: - openldap-2.0.27-4.7 - openldap-clients-2.0.27-4.7 - nss_ldap-189-9 - openssl-0.9.6b-36 I have compiled the pam_ldap 176 from padl.com, but the result is the same. I also tested and compiled it with my own SSL 097d and OpenLDAP 2217, but it did not change anything (but I am not sure if it is still using local ldap libraries during compile). All LDAP servers are SUN iPlanet 5.0. RH Linux 3.0 has no issue at all to any LDAP servers and BigIP using SSL or non-SSL. All my Solaris 2.6 to 9 has no issue too. It is the RH Linux 2.1 that has this issue. I am not sure what else I can capture. Please let me know if you need more information from this Linux 2.1 system. Thanks a in advance for any help. Eric Lam </BODY> </HTML>