problems with LDAP TLS and nss_ldap on 5.2.1
I have upgraded our LDAP server to 5.2.1Release running openldap-2.1.30 server/client + pam_ldap-1.6.9 + nss_ldap-1.204_5. The previous configuration (openldap20-2.0.25_4 + nss_ldap-1.204_1 + pam_ldap-1.6.1) was runing OK on FreeBSD 5.1R After the upgrade I have 2 major problems. 1) I'm not able to make the ldap server to work with TLS. The previous installation worked fine but I haven't properly backed up TLS certificates and I had to generate them again using the approach described at http://www.openldap.org/faq/data/cache/185.html As soon as I add these TLS options to the slapd.conf: # TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/servercrt.pem ... running /etc/rc.d/slapd start doesn't even start the server but doesn't complain either. So I have no clue what's going wrong and right now I have to run the server without TLS. 2) The second problem is with nss_ldap. I have installed the server first, loaded data to the directory, tried some searches etc. Everything worked OK (except for the TLS). Nomaly, the startup of the server takes about 1 second. As soon as I install nss_ldap (in the very moment I run make install on that port) the startup time of the ldap server slows down to 30+ seconds and I also experienced cases when it didn't start at all. If I deinstall the nss_ldap the server startup is quick again. Any ideas of what can be wrong in either case would be really welcome. Thanks Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with pam_ldap - ssh and file attributes
Since nobody responded I will do it myself :-). Further investigation shown that the problem with connecting via ssh was only with the Putty client. Normal command line ssh from another unix host worked fine. The Google search found one message targeting this problem. The solution is to use ssh2 protocol instead of ssh1. I have experienced crashes of Putty v. 0.52 when using ssh2 but after upgrading to version 0.53b everything works fine. Nevertheless the problem with file attributes persists. Mira Original message follows Hi, I just suceeded to install and configure pam_ldap authentication on my 5.1Release box. Everything seems to work fine (ftp, telnet, samba, ...) except for ssh. Any attempt to login (as user whose account is defined in the LDAP directory) from a remote host using ssh end up with the error message: Access denied. For users registered in /etc/passwd the ssh works fine. There is no problem when login via telnet, ftp works fine as well but the ssh doesn't. The /etc/pam.d/sshd looks like: # auth authrequiredpam_nologin.so no_warn authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient pam_ldap.so debug try_first_pass authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_login_access.so account sufficient pam_ldap.so debug account requiredpam_unix.so # session session requiredpam_permit.so # password passwordsufficient pam_ldap.so debug passwordrequiredpam_unix.so no_warn try_first_pass -- Another problem is that commands like ls displays uid and gid as numbers for files owned by LDAP users. On the other hand ftp displays them correctly. Any ideas how to fix that (especially in case of ssh) would be really helpfull. Thanks Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
CVS pserver and pam_ldap
Hi, I have problem to make cvs server (version 1.11.5 - the one which gets installed as a part of 5.1 R) to authenticate users via pam_ldap. Is there anybody who successfully runs this combination or at least knows whether the cvs supports PAM authentication? Any help would be really appreciated ! Mira ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]