[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: Authentication to a LDAP-Server on a virtual hostname (via TLS)]



Hi,

already posted this some days ago to the pam_ldap list, but noone seen to
be able to make any sense out of that :(
Perhaps some of you have an idea how to solve this or at least determine
an cause for the problems

TIA

Greetz

James


-------- Original Message --------
Subject: Authentication to a LDAP-Server on a virtual hostname (via TLS)
From: "James Blast" <jamesblast@geb-team.de>
Date: Wed, July 17, 2002 3:51 pm
To: <pamldap@padl.com>

Hi,

I'm having a serious problem authenticating against an LDAP-Server with
a virtual hostname.
We plan to have the following setup :

Two ldap servers, doing replication and updateref
Both behind a virtual ip with some load-balancing in place.

Currently I only have one server with a second hostname :

-----------snip--------------
[root@moby certs]# dig ldap1.aaabbbccc.intranet

;; QUESTION SECTION:
;ldap1.aaabbbccc.intranet.	IN	A

;; ANSWER SECTION:
ldap1.aaabbbccc.intranet.   86400   IN  CNAME
server1.aaabbbccc.intranet. server1.aaabbbccc.intranet. 86400   IN  A
  10.170.116.11
-----------snip--------------

Generating a certificate for TLS using the server1 hostname works like a
charm. So next step was to set up a certificate for ldap1 and doing
authentication against this hostname.
When I do this the authentication works only when I type _twice_ my
password. See logs below :

Starting slapd with the ldap1 hostname :
-----------snip--------------
slapd -h "ldap://ldap1.aaabbbccc.intranet/
ldaps://ldap1.aaabbbccc.intranet/" -----------snip--------------

ldap.conf
-----------snip--------------
host ldap1.aaabbbccc.intranet
base dc=aaabbbcc,dc=intranet
ldap_version 3
port 389
pam_password exop
ssl start_tls
-----------snip--------------

pam.d/sshd
-----------snip--------------
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so
-----------snip--------------

pam.d/system-auth
-----------snip--------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok auth
       sufficient    /lib/security/pam_ldap.so use_first_pass auth
 required      /lib/security/pam_deny.so

account     sufficient      /lib/security/pam_unix.so
account     required      /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0077
-----------snip--------------

slapd.conf
-----------snip--------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema

password-hash   {MD5}

TLSCertificateFile /etc/openldap/ssl/slapd.pem
TLSCertificateKeyFile /etc/openldap/ssl/slapd.pem

database        ldbm
suffix          "dc=aaabbbccc,dc=intranet"
rootdn          "cn=Manager,dc=aaabbbccc,dc=intranet"
rootpw          {SSHA}OLISjctoiJFJdz0vHzg76h/iYVvikYNK

directory       /var/lib/ldap

index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial

include /etc/openldap/slapd.access.conf
-----------snip--------------

syslog
-----------snip--------------
Jul 17 15:09:53 moby sshd(pam_unix)[8858]: check pass; user unknown Jul
17 15:09:53 moby sshd(pam_unix)[8858]: authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=moby.aaabbbccc.intranet Jul 17
15:09:53 moby sshd[8858]: pam_ldap: ldap_starttls_s: Connect error Jul
17 15:09:56 moby sshd[8858]: Failed password for james from 127.0.0.1
port 34671 ssh2
Jul 17 15:09:58 moby sshd(pam_unix)[8858]: check pass; user unknown Jul
17 15:09:58 moby sshd[8858]: Accepted password for james from
127.0.0.1 port 34671 ssh2
Jul 17 15:09:58 moby sshd(pam_unix)[8858]: session opened for user james
by (uid=0)
-----------snip--------------

System-Info :
-----------snip--------------
System : RedHat 7.2
nss_ldap/pam_ldap : Version 189
ldap : 2.0.11-13
-----------snip--------------

As you can see in this log, authentication fails in the first attempt.
Also there is a TLS connect error. I don't understand this error. This
points to an invalid CN in the certificate. In this case the
authentication should not work at all and not in the second attempt. I
have no idea, why authentication works with the same config for the real
hostname and only with two attempts for the virtual hostname.

Any help would be appreciated.