RedHat Linux 2.1 SSL and LDAP issue

Lam, Eric Eric.Lam at fmr.com
Tue Apr 19 16:08:27 UTC 2005 

Hi all

I am not sure which mailing list to use. Someone said this list has the
most Linux people, so I am trying my luck here. No one has reply me from
the redhat-sysadmin-list at redhat.com mailing list ;-(

I am enabling the local user to perform password authentication with
some of our LDAP servers using the pam_ldap modules from nss_ldap
package. Users use telnet/ftp/ssh/scp to logon to this RH Linux 2.1
system. We have 4 LDAP servers. Every 2 LDAP servers has a BigIP device
in front of them. Two of the LDAP servers and one BigIP are for UAT, and
the other two LDAP and one BigIP are for production. I added the
pam_ldap entry into the /etc/pam.d/system-auth file, there is nothing
else changed on the system - beside the /etc/ldap.conf file. I did the
same on Linux 2.1 and 3.0. 3.0 has no issue at all, my problem is on
Linux 2.1. Here is my system-auth file:
		auth        required      /lib/security/pam_env.so
		auth        sufficient    /lib/security/pam_unix.so
likeauth nullok
		auth        sufficient    /lib/security/pam_ldauth.so
use_first_pass
		auth        required      /lib/security/pam_deny.so

		account     required      /lib/security/pam_unix.so

		password    required      /lib/security/pam_cracklib.so
retry=3 type=
		password    sufficient    /lib/security/pam_unix.so
nullok use_authtok md5 shadow
		password    required      /lib/security/pam_deny.so

		session     required      /lib/security/pam_limits.so
		session     required      /lib/security/pam_unix.so
		session     optional      /lib/security/pam_mkhomedir.so
skel=/etc/skel umask=002
On Linux 2.1, when SSL is disabled in /etc/ldap.conf, the system has no
issue to use any LDAP servers and BigIP. The user can logon without any
issue. 
When SSL is enabled (in /etc/ldap.conf) file, the system can only
utilize the two UAT LDAP servers, but it can not communicate properly
with the BigIP and also the two production servers. On the production
LDAP log, I see the following:
[07/Apr/2005:16:25:20 -0400] conn=302833 fd=188 slot=188 SSL connection
from 172.26.30.52 to 172.26.30.13 
[07/Apr/2005:16:25:20 -0400] conn=302833 op=-1 fd=188 closed error
-12195 (unknown) - B1 
The other error that I captured is running "sshd -d". When a user ssh to
this Linux 2.1 system, the sshd show this error and disconnected.
		debug1: userauth_banner: sent 
		Failed none for a232524 from 10.37.63.30 port 38517 ssh2

		debug1: userauth-request for user a232524 service
ssh-connection method password 
		debug1: attempt 1 failures 1 
		sshd: ../../../libraries/libldap/cyrus.c:418:
ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)'
failed.
		Aborted 
Here is what I am using on the RH Linux 2.1 system: 
- openldap-2.0.27-4.7 
- openldap-clients-2.0.27-4.7 
- nss_ldap-189-9 
- openssl-0.9.6b-36 
I have compiled the pam_ldap 176 from padl.com, but the result is the
same. I also tested and compiled it with my own SSL 097d and OpenLDAP
2217, but it did not change anything (but I am not sure if it is still
using local ldap libraries during compile). 
All LDAP servers are SUN iPlanet 5.0. RH Linux 3.0 has no issue at all
to any LDAP servers and BigIP using SSL or non-SSL. All my Solaris 2.6
to 9 has no issue too. It is the RH Linux 2.1 that has this issue.
I am not sure what else I can capture. Please let me know if you need
more information from this Linux 2.1 system. 
Thanks a in advance for any help. 

Eric Lam

More information about the redhat-list mailing list