Arjun Singh wrote: > I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. > > I installed all of the latest versions of openldap24-server, > openldap24-client, nss_ldap, and pam_ldap. > > When I do any sort of ldapsearch or 'getent passwd' or anything, everything > works perfectly. The only time I have trouble is when I'm logging in via > SSH..then it gets really weird. > > 1.) When I log in as a user in LDAP only and give the incorrect password > first and then supply the correct password, everything works fine. If the > user is in wheel, I can sudo. > 2.) When I log in as the same user and give only the correct password the > first time, it hangs for roughly 45 seconds and then lets me in. Even though > this user is in wheel, it says that the user is not in the sudoers file. > > Here are the log messages I get in auth.log that correspond to the events > above: > > sshd[54031]: pam_ldap: error trying to bind as user "uid=user..(cut)..." > (Invalid credentials) # This is the incorrect pw > sshd[54029]: error: PAM: authentication error for user from localhost > #Incorrect pw > sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable > # correct pw > sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port > 32935 ssh2 #correct pw > > When I enter just the right password, the first time, I get this in the log: > > sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port > 51972 ssh2 > sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server > > Again, when SSL/TLS are disabled, I get normal log output and none of the > weird stuff above.. > > I turned on debugging in nss_ldap.conf and found that each time I gave only > the correct password (corresponding with the 45 second hang) I found this in > the debug output: > > ...bunch of normal looking output... > ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 > ldap_chkResponseList returns ld 0x801b31480 NULL > ldap_int_select > read1msg: ld 0x801b31480 msgid 5 all 0 > ber_get_next > TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of > this? > ldap_free_connection 1 0 > ldap_free_connection: actually freed > ldap_err2string > ldap_result ld 0x801b31480 msgid 5 > wait4msg ld 0x801b31480 msgid 5 (timeout 30000000 usec) > wait4msg continue ld 0x801b31480 msgid 5 all 0 > ** ld 0x801b31480 Connections: > ** ld 0x801b31480 Outstanding Requests: > Empty > ld 0x801b31480 request count 0 (abandoned 0) > ** ld 0x801b31480 Response Queue: > Empty > > I get the above regardless of whether I'm using start_tls or ssl. > > If you have any insight, it'd be really useful. I've spent tons of time > scouring lists for help and haven't found anything yet..
I don't have any more insight into the problem other than to say we've had some similar issues in our environment. Initial password-based logins do not have groups initialized, but SSH key logins and /bin/login logins have groups initialized successfully. We were piloting nscd on some of our 7.0 boxes. It turns out that enabling nscd was a successful workaround. We have since enabled it on the rest of our 7.0 installations. Anyone out there have ideas? -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
pgp9oeSAgHp3M.pgp
Description: PGP signature
