[Date Prev][Date Next] [Chronological] [Thread] [Top]
[Fwd: Authentication to a LDAP-Server on a virtual hostname (via TLS)]

To: <openldap-software@OpenLDAP.org>
Subject: [Fwd: Authentication to a LDAP-Server on a virtual hostname (via TLS)]
From: "James Blast" <jamesblast@geb-team.de>
Date: Wed, 24 Jul 2002 08:54:22 +0200 (CEST)
Importance: Normal
Hi,

already posted this some days ago to the pam_ldap list, but noone seen to
be able to make any sense out of that :(
Perhaps some of you have an idea how to solve this or at least determine
an cause for the problems

TIA

Greetz

James


-------- Original Message --------
Subject: Authentication to a LDAP-Server on a virtual hostname (via TLS)
From: "James Blast" <jamesblast@geb-team.de>
Date: Wed, July 17, 2002 3:51 pm
To: <pamldap@padl.com>

Hi,

I'm having a serious problem authenticating against an LDAP-Server with
a virtual hostname.
We plan to have the following setup :

Two ldap servers, doing replication and updateref
Both behind a virtual ip with some load-balancing in place.

Currently I only have one server with a second hostname :

-----------snip--------------
[root@moby certs]# dig ldap1.aaabbbccc.intranet

;; QUESTION SECTION:
;ldap1.aaabbbccc.intranet.	IN	A

;; ANSWER SECTION:
ldap1.aaabbbccc.intranet.   86400   IN  CNAME
server1.aaabbbccc.intranet. server1.aaabbbccc.intranet. 86400   IN  A
  10.170.116.11
-----------snip--------------

Generating a certificate for TLS using the server1 hostname works like a
charm. So next step was to set up a certificate for ldap1 and doing
authentication against this hostname.
When I do this the authentication works only when I type _twice_ my
password. See logs below :

Starting slapd with the ldap1 hostname :
-----------snip--------------
slapd -h "ldap://ldap1.aaabbbccc.intranet/
ldaps://ldap1.aaabbbccc.intranet/" -----------snip--------------

ldap.conf
-----------snip--------------
host ldap1.aaabbbccc.intranet
base dc=aaabbbcc,dc=intranet
ldap_version 3
port 389
pam_password exop
ssl start_tls
-----------snip--------------

pam.d/sshd
-----------snip--------------
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
-----------snip--------------

pam.d/system-auth
-----------snip--------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok auth
       sufficient    /lib/security/pam_ldap.so use_first_pass auth
 required      /lib/security/pam_deny.so

account     sufficient      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0077
-----------snip--------------

slapd.conf
-----------snip--------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema

password-hash   {MD5}

TLSCertificateFile /etc/openldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem

database        ldbm
suffix          "dc=aaabbbccc,dc=intranet"
rootdn          "cn=Manager,dc=aaabbbccc,dc=intranet"
rootpw          {SSHA}OLISjctoiJFJdz0vHzg76h/iYVvikYNK

directory       /var/lib/ldap

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

include /etc/openldap/slapd.access.conf
-----------snip--------------

syslog
-----------snip--------------
Jul 17 15:09:53 moby sshd(pam_unix)[8858]: check pass; user unknown Jul
17 15:09:53 moby sshd(pam_unix)[8858]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=moby.aaabbbccc.intranet Jul 17
15:09:53 moby sshd[8858]: pam_ldap: ldap_starttls_s: Connect error Jul
17 15:09:56 moby sshd[8858]: Failed password for james from 127.0.0.1
port 34671 ssh2
Jul 17 15:09:58 moby sshd(pam_unix)[8858]: check pass; user unknown Jul
17 15:09:58 moby sshd[8858]: Accepted password for james from
127.0.0.1 port 34671 ssh2
Jul 17 15:09:58 moby sshd(pam_unix)[8858]: session opened for user james
by (uid=0)
-----------snip--------------

System-Info :
-----------snip--------------
System : RedHat 7.2
nss_ldap/pam_ldap : Version 189
ldap : 2.0.11-13
-----------snip--------------

As you can see in this log, authentication fails in the first attempt.
Also there is a TLS connect error. I don't understand this error. This
points to an invalid CN in the certificate. In this case the
authentication should not work at all and not in the second attempt. I
have no idea, why authentication works with the same config for the real
hostname and only with two attempts for the virtual hostname.

Any help would be appreciated.
Prev by Date: Re: Solaris 8 and OpenLDAP
Next by Date: OpenLDAP 2.1.3 and W2K (issue in tls.c)
Index(es):
- Chronological
- Thread