[Date Prev][Date Next] [Chronological] [Thread] [Top]

Issue with LDAP TLS for Unix Login

To: <openldap-technical@openldap.org>
Subject: Issue with LDAP TLS for Unix Login
From: Arvind Navale <an_linux@live.com>
Date: Thu, 17 Jan 2013 11:23:58 -0500
Importance: Normal

Hi Folks,

I have a openldap server version slapd 2.4.16 running on a Solaris-10 OS. I have generated the self signed CA certificate on the ldap server to use TLS and configured the slapd.conf with certificate information. I am looking to get LDAP authentication using TLS on the ldap client side. I was able to setup centos-6.3 linux as ldap client using openldap client to LDAP authentication using TLS but I am having issues to setup a Solaris-10 OS using native LDAP client software. Solaris-10 LDAP client is setup using 'ldapclient manaul' and certificate was added using certutil command.

Here is error messages seeing when trying to authenticate when using LDAP-TLS in sladp.log file on the openldap server side,

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 848112 local4.debug] conn=1270 fd=25 ACCEPT from IP=10.90.180.236:41051 (IP=0.0.0.0:636)

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 25r

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 694296 local4.debug] daemon: read activity on 25

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 525477 local4.debug] connection_get(25)

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 611214 local4.debug] connection_get(25): got connid=1270

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 138202 local4.debug] connection_read(25): checking for input on id=1270

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 25r

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 694296 local4.debug] daemon: read activity on 25

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 525477 local4.debug] connection_get(25)

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 611214 local4.debug] connection_get(25): got connid=1270

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 138202 local4.debug] connection_read(25): checking for input on id=1270

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 688457 local4.debug] connection_read(25): TLS accept failure error=-1 id=1270, closing

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 734893 local4.debug] connection_closing: readying conn=1270 sd=25 for close

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 330685 local4.debug] connection_close: conn=1270 sd=25

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 423323 local4.debug] daemon: removing 25

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 485650 local4.debug] conn=1270 fd=25 closed (TLS negotiation failure)

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 23r

Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]

On the ldap client side I have enabled pam debugging and I see the following error messages associated with it,

Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 492885 auth.debug] PAM[6459]: pam_setcred(80c9bd8, 2)

Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 931871 auth.debug] PAM[6459]: load_modules(80c9bd8, pam_sm_setcred)=/usr/lib/security/pam_authtok_get.s

o.1

Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 962116 auth.debug] PAM[6459]: pam_setcred(80c9bd8, 2): error Permission denied

Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 509612 auth.debug] PAM[6459]: pam_set_item(80c9bd8:authtok)

Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 725776 auth.debug] PAM[6459]: pam_end(80c9bd8): status = Permission denied

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:authtok)

Jan 14 14:52:45 drac9ec2 last message repeated 1 time

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 887652 auth.debug] PAM[6820]: pam_authenticate(80c9bd8, 1): error Authentication failed

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint ldapusr2), flags = 1

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 293258 auth.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDA

P server

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 887652 auth.debug] PAM[6820]: pam_authenticate(80c9bd8, 1): error Permission denied

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:authtok)

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication fa

iled

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapusr2 from 10.90.176.38 port 44078 ssh2

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:conv)

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 814791 auth.debug] PAM[6820]: pam_end(80c9bd8): status = Authentication failed

Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 324150 auth.debug] PAM[6820]: pam_start(sshd-kbdint,ldapusr2,80a98a8:80c9bd8) - debug = 1

Here is the ldapclient I have ran to setup the ldapclient,

ldapclient -v manual -a defaultServerList=10.90.177.2 -a credentialLevel=anonymous -a domainName=dvsg-ldap.com -a defaultSearchBase=dc=dvsg-ldap,dc=com -a authenticationMethod=tls:simple -a serviceAuthenticationMethod=pam_ldap:tls:simple -a proxyDN=cn=readonly,dc=dvsg-ldap,dc=com -a proxyPassword=secret -a certificatePath=/var/ldap

Any guidance or help to resolve this issue would be most appreciated.

thank you,
Arvind.

Prev by Date: Re: [OT] SELinux woes
Next by Date: Re: [OT] SELinux woes
Index(es):
- Chronological
- Thread