From Eric.Lam at fmr.com Tue Apr 12 17:42:23 2005 From: Eric.Lam at fmr.com (Lam, Eric) Date: Tue, 12 Apr 2005 13:42:23 -0400 Subject: LDAP and SSL issue on RH Linux 2.1 Message-ID: Hi all My first time on this list. Not sure if there is any people here. I will try my luck. I am enabling the local user to perform password authentication with some of our LDAP servers using the pam_ldap modules from nss_ldap package. Users use telnet/ftp/ssh to logon to this RH Linux 2.1 system. We have 4 LDAP servers. Every 2 LDAP servers has a BigIP device in front of them. Two LDAP and one BigIP are for UAT, and the other two LDAP and one BigIP are for production. I only added the pam_ldap entry into the /etc/pam.d/system-auth file, there is nothing else changed on the system - beside the /etc/ldap.conf file. I did the same on Linux 2.1 and 3.0. 3.0 has no issue at all. On Linux 2.1, when SSL is disabled in /etc/ldap.conf, the system has no issue to utilitize any LDAP servers and BigIP. The user can logon without any issue. When SSL is enabled (in /etc/ldap.conf) file, the system can only utilize the two UAT LDAP servers, but it can not communicate properly with the BigIP and also the two production servers. On the production LDAP log, I see the following: [07/Apr/2005:16:25:20 -0400] conn=302833 fd=188 slot=188 SSL connection from 172.26.30.52 to 172.26.30.13 [07/Apr/2005:16:25:20 -0400] conn=302833 op=-1 fd=188 closed error -12195 (unknown) - B1 The other error that I captured is running "sshd -d". When a user ssh to this Linux 2.1 system, the sshd show this error and disconnected. debug1: userauth_banner: sent Failed none for a232524 from 10.37.63.30 port 38517 ssh2 debug1: userauth-request for user a232524 service ssh-connection method password debug1: attempt 1 failures 1 sshd: ../../../libraries/libldap/cyrus.c:418: ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)' failed. Aborted Here is what I am using on the RH Linux 2.1 system: - openldap-2.0.27-4.7 - openldap-clients-2.0.27-4.7 - nss_ldap-189-9 - openssl-0.9.6b-36 I have compiled the pam_ldap 176 from padl.com, but the result is the same. I also tested and compiled it with my own SSL 097d and OpenLDAP 2217, but it did not change anything. All LDAP servers are SUN iPlanet 5.0. RH Linux 3.0 has no issue at all to any LDAP servers and BigIP using SSL or non-SSL. All my Solaris 2.6 to 9 has no issue too. It is the RH Linux 2.1 that has this issue. I am not sure what else I can capture. Please let me know if you need more information from this Linux 2.1 system. Thanks a in advance for any help. Eric -------------- next part -------------- An HTML attachment was scrubbed... URL: From balaji.krishnamoorthy1 at ge.com Wed Apr 13 03:09:04 2005 From: balaji.krishnamoorthy1 at ge.com (Krishnamoorthy, Balaji (Research, Consultant)) Date: Wed, 13 Apr 2005 08:39:04 +0530 Subject: (no subject) Message-ID: From Eric.Lam at fmr.com Tue Apr 19 16:08:27 2005 From: Eric.Lam at fmr.com (Lam, Eric) Date: Tue, 19 Apr 2005 12:08:27 -0400 Subject: RedHat Linux 2.1 SSL and LDAP issue Message-ID: Hi all I am not sure which mailing list to use. Someone said this list has the most Linux people, so I am trying my luck here. No one has reply me from the redhat-sysadmin-list at redhat.com mailing list ;-( I am enabling the local user to perform password authentication with some of our LDAP servers using the pam_ldap modules from nss_ldap package. Users use telnet/ftp/ssh/scp to logon to this RH Linux 2.1 system. We have 4 LDAP servers. Every 2 LDAP servers has a BigIP device in front of them. Two of the LDAP servers and one BigIP are for UAT, and the other two LDAP and one BigIP are for production. I added the pam_ldap entry into the /etc/pam.d/system-auth file, there is nothing else changed on the system - beside the /etc/ldap.conf file. I did the same on Linux 2.1 and 3.0. 3.0 has no issue at all, my problem is on Linux 2.1. Here is my system-auth file: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldauth.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=002 On Linux 2.1, when SSL is disabled in /etc/ldap.conf, the system has no issue to use any LDAP servers and BigIP. The user can logon without any issue. When SSL is enabled (in /etc/ldap.conf) file, the system can only utilize the two UAT LDAP servers, but it can not communicate properly with the BigIP and also the two production servers. On the production LDAP log, I see the following: [07/Apr/2005:16:25:20 -0400] conn=302833 fd=188 slot=188 SSL connection from 172.26.30.52 to 172.26.30.13 [07/Apr/2005:16:25:20 -0400] conn=302833 op=-1 fd=188 closed error -12195 (unknown) - B1 The other error that I captured is running "sshd -d". When a user ssh to this Linux 2.1 system, the sshd show this error and disconnected. debug1: userauth_banner: sent Failed none for a232524 from 10.37.63.30 port 38517 ssh2 debug1: userauth-request for user a232524 service ssh-connection method password debug1: attempt 1 failures 1 sshd: ../../../libraries/libldap/cyrus.c:418: ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)' failed. Aborted Here is what I am using on the RH Linux 2.1 system: - openldap-2.0.27-4.7 - openldap-clients-2.0.27-4.7 - nss_ldap-189-9 - openssl-0.9.6b-36 I have compiled the pam_ldap 176 from padl.com, but the result is the same. I also tested and compiled it with my own SSL 097d and OpenLDAP 2217, but it did not change anything (but I am not sure if it is still using local ldap libraries during compile). All LDAP servers are SUN iPlanet 5.0. RH Linux 3.0 has no issue at all to any LDAP servers and BigIP using SSL or non-SSL. All my Solaris 2.6 to 9 has no issue too. It is the RH Linux 2.1 that has this issue. I am not sure what else I can capture. Please let me know if you need more information from this Linux 2.1 system. Thanks a in advance for any help. Eric Lam -------------- next part -------------- An HTML attachment was scrubbed... URL: