LDAP/SSL authentication in FC2
Harry Hoffman
hhoffman at ip-solutions.net
Tue Sep 28 21:19:37 UTC 2004
Hi All,
I've done this before under Redhat but am having the damndest time with FC2.
My LDAP server is a FC1 box with OpenLDAP/TLS (stock standard from the
distro).
I believe I have everything setup properly. I can use "getent passwd"
from the client machine and see all of the passwd entries on the ldap
server.
In addition I can properly bind (using ldapsearch) as the user I'm
attempting to ssh into the client as.
When I try to ssh in I get the following log errors:
Sep 26 23:16:17 mason sshd[21438]: Illegal user user from
::ffff:192.168.4.65
Sep 26 23:16:20 mason sshd[21438]: Failed password for illegal user user
from ::ffff:192.168.4.65 port 33553 ssh2
Any help would be greatly appreciated
Thanks,
Harry
The typical user entry looks something like this:
dn: uid=user,ou=People,dc=domain,dc=tld
uid: user
cn: User
sn: User
mail: user at domain
mailRoutingAddress: user at domain
mailHost: smtp.fqdn
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
userPassword:: XXX
shadowLastChange: 12523
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/user
mailLocalAddress: user at xxx.xxx
host: ldap.client.fqdn
The server certificate is a self created CA with the proper certs on
both server and client.
The clients ldap.conf looks like:
uri ldaps://ldap.domain.tld/
scope sub
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_login_attribute uid
pam_check_host_attr yes
nss_base_passwd ou=People,dc=domain,dc=tld?one
nss_base_shadow ou=People,dc=domain,dc=tld?one
nss_base_group ou=Group,dc=domain,dc=tld?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/share/ssl/certs/ip-solutions.crt
pam_password md5
/etc/pam.d/sshd looks like this:
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
/etc/nsswitch.conf looks like this:
passwd: ldap [NOTFOUND=return] files
shadow: ldap [NOTFOUND=return] files
group: ldap [NOTFOUND=return] files
More information about the fedora-list
mailing list