[rhn-users] RedHat Linux 2.1 SSL and LDAP issue
Lam, Eric
Eric.Lam at fmr.com
Tue Apr 19 16:08:27 UTC 2005
Hi all
I am not sure which mailing list to use. Someone said this list has the
most Linux people, so I am trying my luck here. No one has reply me from
the redhat-sysadmin-list at redhat.com mailing list ;-(
I am enabling the local user to perform password authentication with
some of our LDAP servers using the pam_ldap modules from nss_ldap
package. Users use telnet/ftp/ssh/scp to logon to this RH Linux 2.1
system. We have 4 LDAP servers. Every 2 LDAP servers has a BigIP device
in front of them. Two of the LDAP servers and one BigIP are for UAT, and
the other two LDAP and one BigIP are for production. I added the
pam_ldap entry into the /etc/pam.d/system-auth file, there is nothing
else changed on the system - beside the /etc/ldap.conf file. I did the
same on Linux 2.1 and 3.0. 3.0 has no issue at all, my problem is on
Linux 2.1. Here is my system-auth file:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so
likeauth nullok
auth sufficient /lib/security/pam_ldauth.so
use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
retry=3 type=
password sufficient /lib/security/pam_unix.so
nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_mkhomedir.so
skel=/etc/skel umask=002
On Linux 2.1, when SSL is disabled in /etc/ldap.conf, the system has no
issue to use any LDAP servers and BigIP. The user can logon without any
issue.
When SSL is enabled (in /etc/ldap.conf) file, the system can only
utilize the two UAT LDAP servers, but it can not communicate properly
with the BigIP and also the two production servers. On the production
LDAP log, I see the following:
[07/Apr/2005:16:25:20 -0400] conn=302833 fd=188 slot=188 SSL connection
from 172.26.30.52 to 172.26.30.13
[07/Apr/2005:16:25:20 -0400] conn=302833 op=-1 fd=188 closed error
-12195 (unknown) - B1
The other error that I captured is running "sshd -d". When a user ssh to
this Linux 2.1 system, the sshd show this error and disconnected.
debug1: userauth_banner: sent
Failed none for a232524 from 10.37.63.30 port 38517 ssh2
debug1: userauth-request for user a232524 service
ssh-connection method password
debug1: attempt 1 failures 1
sshd: ../../../libraries/libldap/cyrus.c:418:
ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)'
failed.
Aborted
Here is what I am using on the RH Linux 2.1 system:
- openldap-2.0.27-4.7
- openldap-clients-2.0.27-4.7
- nss_ldap-189-9
- openssl-0.9.6b-36
I have compiled the pam_ldap 176 from padl.com, but the result is the
same. I also tested and compiled it with my own SSL 097d and OpenLDAP
2217, but it did not change anything (but I am not sure if it is still
using local ldap libraries during compile).
All LDAP servers are SUN iPlanet 5.0. RH Linux 3.0 has no issue at all
to any LDAP servers and BigIP using SSL or non-SSL. All my Solaris 2.6
to 9 has no issue too. It is the RH Linux 2.1 that has this issue.
I am not sure what else I can capture. Please let me know if you need
more information from this Linux 2.1 system.
Thanks a in advance for any help.
Eric Lam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050419/d0921e7a/attachment.htm>
More information about the rhn-users
mailing list