'[pamldap] Trouble talking SSL to Netscape NDS 4.11'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Trouble talking SSL to  Netscape NDS 4.11
From:       "Mickey Everts" <mickey () yipes ! com>
Date:       2000-10-12 4:42:40
[Download RAW message or body]


On a Debian Linux 2.2 system, I have pam_ldap-74 and nss_ldap-116 working
fine in non-SSL mode. The pam_ldap module has been compiled against the
Netscape LDAP C SDK v4.0 (btw, is version 4.1 ok also?). The certificate on
the Netscape LDAP server is a genuine Thawte-blessed certificate.  When I
enable the SSL options in ldap.conf, I can no longer login to the system via
ssh, and unfortunately there is not a single entry in auth.log to give me a
clue whats going on.  There is also not a single access to the LDAP server,
and for some reason it doesn't continue on with the next PAM "auth" option.
Any suggestions on how to debug this?  Also, does anyone have a similiar
system already working, a key thing would be using the Netscape Directory
Server, not OpenLDAP+stunnel.

One small detail...I am not absolutely sure I have a correct cert7.db file.
I couldn't get the Netscape "hack" (using your browser to connect to the SSL
port on the LDAP server) to work as described. When I tried, a window
pop'ped up with the following message:

---
No User Certificate

The site 'ldapserver.yipes.com' has requested client authentication, but you
do not have a Personal Certificate to authenticate yourself. The site may
choose not to give you access without one.
---

Then I click ok, and a little requester says "The document contained no
data....". My solution was to copy the cert7.db file
(slapd-<SERVERID>-cert7.db) right off the Netscape Directory Server (v4.11)
that I am trying to connect to.  I also tried just using the cert7.db file
from a Netscape Browser install.  I looked at the db file with the certutil
out of the PKCS#11 tools, but I am not quite sure what to look for.

I am pretty sure SSL is working fine on the ldap server, because I used
e-mail clients configured in SSL mode to make LDAP queries and I was also
able to get an LDAP editor SSL-enabled.

Here are some key config file settings...

## These are the options I enable in ldap.conf to convert to SSL mode ##

port 636
ssl yes
sslpath /etc/cert7.db	#(have also tried just just "/etc".

## pam config for ssh ##

auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   sufficient   /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so

Regards,

-MiC

Mickey Everts
Unix System Administrator
Yipes Communications, Inc.
http://www.yipes.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic