[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSH and LDAP problem


I,ve installed openldap 2.1.25 on a Debian 3.0 in order to authenticate the users with PAM.
I configured all the services (proftpd, su, passwd ,etc) in order to use PAM to access the ldap server and they work properly. When I try using ssh:
- If the user is in /etc/passwd: ssh asks for password and then closes the connection:
#ssh -l admin
admin@'s password:
Connection closed by
- If the user is in the ldap: ssh closes the connection directly: #ssh -l testldap
Connection closed by
- When I stop the ldap then I con login via ssh as a /etc/passwd user without problems.

The debug mode of openLDAP reported thet TLS can't connect (I'm using SSL with slapd -h ldaps:///).

slapd starting
ldap_pvt_gethostbyname_a: host=ibox, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept.
connection_read(11): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11

I configured sshd_config to use PAM:
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes
UsePrivilegeSeparation no

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

And also configured PAM (/etc/pam.d/ssh) to access ldap, as in /etc/pam.d/proftpd, /etc/pam.d/passwd, /etc/pam.d/su:
auth sufficient pam_ldap.so
auth required pam_unix.so

account    sufficient   pam_ldap.so
account    required     pam_unix.so

session    sufficient   pam_ldap.so
session    required     pam_unix.so

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok use_authtok

Thank you very much.

David Morón Ruano.