[Date Prev][Date Next] [Chronological] [Thread] [Top]

SSH and LDAP problem

To: openldap-software@OpenLDAP.org
Subject: SSH and LDAP problem
From: David Moron <david.moron@openwired.net>
Date: Mon, 05 Jan 2004 14:35:18 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Gecko/20020919 Debian/1.1-1

Hi,

I,ve installed openldap 2.1.25 on a Debian 3.0 in order to authenticate the users with PAM. I configured all the services (proftpd, su, passwd ,etc) in order to use PAM to access the ldap server and they work properly. When I try using ssh: - If the user is in /etc/passwd: ssh asks for password and then closes the connection: #ssh -l admin 10.0.0.80 admin@10.0.0.80's password: Connection closed by 10.0.0.80 - If the user is in the ldap: ssh closes the connection directly: #ssh -l testldap 10.0.0.80 Connection closed by 10.0.0.80 - When I stop the ldap then I con login via ssh as a /etc/passwd user without problems.

The debug mode of openLDAP reported thet TLS can't connect (I'm using SSL with slapd -h ldaps:///).

slapd starting
ldap_pvt_gethostbyname_a: host=ibox, r=0
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS: can't accept.
connection_read(11): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=11 for close
connection_close: conn=0 sd=11

I configured sshd_config to use PAM:
#Privilege Separation is turned on for security
#UsePrivilegeSeparation yes
UsePrivilegeSeparation no

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

And also configured PAM (/etc/pam.d/ssh) to access ldap, as in /etc/pam.d/proftpd, /etc/pam.d/passwd, /etc/pam.d/su: auth sufficient pam_ldap.so auth required pam_unix.so

account    sufficient   pam_ldap.so
account    required     pam_unix.so

session    sufficient   pam_ldap.so
session    required     pam_unix.so

password   sufficient   pam_ldap.so
password   required     pam_unix.so nullok use_authtok

Thank you very much.

David Morón Ruano.

Follow-Ups:
- Re: SSH and LDAP problem
  - From: Craig White <craigwhite@azapple.com>

Prev by Date: libldap-ruby and \000
Next by Date: Re: 4.2.2
Index(es):
- Chronological
- Thread