Google 网上论坛不再支持新的 Usenet 帖子或订阅项。历史内容仍可供查看。
Dismiss

User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

已查看 57 次
跳至第一个未读帖子

O. Hartmann

未读,
2011年3月18日 07:08:442011/3/18
收件人
Hello.
I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for
an UBUNTU 10.10 server (using openldap 2.4.23).

Most of the installation on the Ubuntu server has been successfully done
(I'm not familiar with Linux, but it seems that things like pam and ldap
are quite similar to FreeBSD's installation).

From the Linux/Ubuntu server, I'm able to get all users and groups via
'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
user is successfully.

But when it comes to a login via sshd, login fails with this error
(loged on Linux Ubuntu in /var/log/auth.log):

Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from
192.168.0.128 port 40734 ssh2
Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as
user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality
required)
Mar 18 12:01:25 freyja sshd[26854]: Failed password for testuser from
192.168.0.128 port 54156 ssh2

I'm able to login from other systems (FreeBSD 9 and 8) via this specific
OpenLDAP server.

Does anyone has a glue?

Please set me CC, I'm not subscribing this list.

Thanks in advance and regards,
Oliver

_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"

Dan Nelson

未读,
2011年3月18日 12:02:572011/3/18
收件人
In the last episode (Mar 18), O. Hartmann said:
> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
> UBUNTU 10.10 server (using openldap 2.4.23).
>
> Most of the installation on the Ubuntu server has been successfully done
> (I'm not familiar with Linux, but it seems that things like pam and ldap
> are quite similar to FreeBSD's installation).
>
> From the Linux/Ubuntu server, I'm able to get all users and groups via
> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
> user is successfully.
>
> But when it comes to a login via sshd, login fails with this error
> (loged on Linux Ubuntu in /var/log/auth.log):
>
> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)

"Confidentiality required" means that the server is refusing to authenticate
over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
"ssl on") and see if that works.

--
Dan Nelson
dne...@allantgroup.com

O. Hartmann

未读,
2011年3月18日 14:27:552011/3/18
收件人
On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>> From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.

Well,

in /etc/ldap.conf there is "ssl start_tls" and this should do the thing.
I use nearly exact the same configuration as I do on all the FreeBSD
boxes connecting to the same OpenLDAP server.

I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get

ldap_start_tls: Connect error (-11)
additional info: (unknown error code)

looking deeper into the debug stuff with

'ldapsaerach -xZZ -h hostIP' I receive at the end

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
additional info: (unknown error code)


Obviously, my certificate (self signed, openssl verify cacert.pem gives:
OK) isn't found or there is something wrong with it. The certificate is
located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's
/etc/ldap.conf there is this line:
tls_cacertfile usr/local/etc/cacerts/cacert.pem

is referring to the certificate.

O. Hartmann

未读,
2011年3月19日 11:49:302011/3/19
收件人
On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>> From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.


Well,
I tried several things now and I do not understand this world anymore :-(

For short again: The conceptional setup I use is a working concept
within all FreeBSD boxes around here autheticating users via our
OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64).

On the Linux/Ubuntu 10.10 server I tried the following:

ldapsearch:
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: TLS confidentiality required

ldapsearch -xZ:
...listing of the DIT of the LDAP server

looking up an user ID definitely within the DIT: positive response from
the LDAP server.

I also can obtain passwd/group informations via
getent passwd/group.

I also checked the connection to the LDAPserver with the SSL credetials by

openssl s_client -connect LDAPserver:636 -showcerts

and receive a lot of informations
CONNECTED(00000003)
depth=1 /C [...]

verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=DE/ST [...]
-----BEGIN CERTIFICATE-----
MIIDljCCAv+gAwIBA [...]
-----END CERTIFICATE-----
1 s:/C [...]
i:/C=DE [...]
-----BEGIN CERTIFICATE-----
MIIDojCC[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C [...]
issuer=/C [...]
---
No client certificate CA names sent
---
SSL handshake has read 2175 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3
Session-ID-ctx:
Master-Key: XXXXX
Key-Arg : None
TLS session ticket:
0000 - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69
.H........u.O..i
0010 - 37 a5 4f c7 [...]
Start Time: 1300547707
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---


I guess this signals everything is all right with the certificate
connecting via SSL/TLS.

I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done
via apt-get/installation of the appropriate tools and facilities (ldap,
pam_ldap, nss_ldap). I've no idea what's going wrong ...

There is also some kind of weirdness around here. While login in via ssh
(or better: trying to login via ssh), I received this:

Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string
from 125.88.109.121
Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from
XXX.XXX.XXX.XXX port 52686 ssh2
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
opened for user root by (uid=0)
Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session
closed for user root

IP 125.88.109.121 is located in China, 125.88.109.121 Server Details
IP address:
125.88.109.121
Server Location:
Guangzhou, Guangdong in China
ISP:
ChinaNet Guangdong Province Network

O. Hartmann

未读,
2011年3月19日 16:16:012011/3/19
收件人
On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>>
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>
>> From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>>
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>>
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
>
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection. Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.
>

I managed it!

My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the
follwoing entries, which seems to confuse Linux (but not the FreeBSD
clients, no matter why):

olcSecurity: simple_bind=256

After reducing this security strenth value down to

olcSecurity: simple_bind=128

everything works fine so far.

At the moment, I have no explanation for this. Either FreeBSD clients
are always binding with a higher security strength level or ignoring this.

Thanks,

Oliver

0 个新帖子