LDAP SSL not working on Fedora 14 (in particular with ssh)

Posted on 2011-03-11
Medium Priority
Last Modified: 2012-08-13
I recently decided to install Fedora 14 to test it out for a bit and have run into a bit of a snag.  I cannot seem to get LDAP connecting properly.  I have configured /etc/openldap/ldap.conf, /etc/nss_ldap.conf, /etc/nsswitch and /etc/pam.d/system-auth as I have with other systems in the past that all work.  I can use getent to get passwd, netgroup, shadow, etc and all return what appear to be valid results.  I can su to different LDAP users who are not local but only from root as it does not require authentication.  It seems only things that require authentication are failing.  Also, when I do an authconfig --test i get a response that I can't seem to find any info about: Inconsistent attr: passwordAlgorithm.  Some relevent command output:

[root@host ~]# getent passwd ldapuser
ldapuser:x:12345:123:LDAP User:/home/ldapuser:/bin/bash

[root@host ~]# getent shadow ldapuser

The client can verify the user against the LDAP server but not authenticate for some reason.

Mar 11 17:13:36 host sshd[1930]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sshhost.domain  user=ldapuser
Mar 11 17:13:38 host sshd[1930]: Failed password for ldapuser from port 53157 ssh2

I am using the same SSL cert as I have used on many other systems that does work (mostly with RHEL5 systems).  
Question by:nibowl
  • 4

Expert Comment

ID: 35113986
Have a look at this post


Did You try checking the logs on the authentication server and fc14

Author Comment

ID: 35128682
This explains why, but did not offer much in terms of a solution in getting it to connect, though I now have another direction to look.

Author Comment

ID: 35131998
It looks like some of my issue was tied to the --passalgo=blah that was not assigned in my authconfig statement for the Inconsistent attr: passwordAlgorithm error.  Fixing that got rid of that issue.  Next was the fact that some of my directives I put in my ldap.conf file before are apparently now located in the pam_ldap.conf file.  Looks like they have split the original /etc/ldap.conf into the two files.  Once I am able to get back to working on the system I will verify and test this.

Accepted Solution

nibowl earned 0 total points
ID: 35133070
Yep, the pam_ldap.conf file was the secret sauce.  I was able to get everything connecting just fine and it is doing well.

Author Closing Comment

ID: 35171008
I was able to track it down over time and test it to be functional, none of which was referenced by any other posters.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question