LDAP/SSL authentication in FC2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

I've done this before under Redhat but am having the damndest time with FC2.

My LDAP server is a FC1 box with OpenLDAP/TLS (stock standard from the distro).
I believe I have everything setup properly. I can use "getent passwd" from the client machine and see all of the passwd entries on the ldap server.

In addition I can properly bind (using ldapsearch) as the user I'm attempting to ssh into the client as.

When I try to ssh in I get the following log errors:
Sep 26 23:16:17 mason sshd[21438]: Illegal user user from ::ffff:192.168.4.65
Sep 26 23:16:20 mason sshd[21438]: Failed password for illegal user user from ::ffff:192.168.4.65 port 33553 ssh2

Any help would be greatly appreciated

Thanks,
Harry



The typical user entry looks something like this:

dn: uid=user,ou=People,dc=domain,dc=tld
uid: user
cn: User
sn: User
mail: user@domain
mailRoutingAddress: user@domain
mailHost: smtp.fqdn
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
userPassword:: XXX
shadowLastChange: 12523
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/user
mailLocalAddress: user@xxxxxxx
host: ldap.client.fqdn

The server certificate is a self created CA with the proper certs on both server and client.

The clients ldap.conf looks like:
uri ldaps://ldap.domain.tld/
scope sub
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_login_attribute uid
pam_check_host_attr yes
nss_base_passwd ou=People,dc=domain,dc=tld?one
nss_base_shadow ou=People,dc=domain,dc=tld?one
nss_base_group          ou=Group,dc=domain,dc=tld?one
ssl on
tls_checkpeer yes
tls_cacertfile /usr/share/ssl/certs/ip-solutions.crt
pam_password md5

/etc/pam.d/sshd looks like this:
#%PAM-1.0
auth       required     /lib/security/pam_nologin.so
auth       sufficient    /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

/etc/nsswitch.conf looks like this:
passwd:     ldap [NOTFOUND=return] files
shadow:     ldap [NOTFOUND=return] files
group:       ldap [NOTFOUND=return]  files

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux