Description of problem: I'm testing the new ldap public key support. My /etc/ldap.conf contains the following setting: tls_checkpeer yes Which, according to nss_ldap(5) is either yes or no Running the ldap helper shows that this is not valid: /usr/libexec/openssh/ssh-ldap-helper -v debug1: Reading configuration data /etc/ldap.conf /etc/ldap.conf line 17: Bad never/hard/demand/alow/try argument. Version-Release number of selected component (if applicable): openssh-ldap-5.5p1-6.fc14.x86_64
I think that /etc/openldap/ldap.conf should be used instead of /etc/ldap.conf. The /etc/ldap.conf belongs to nss_ldap (before the split of pam_ldap) and should not be used anymore.
The tls_checkpeer have this options according to the ldap docummentation newer, hard, demand allow and try I'll make aliases newer = off and hard = on
Hi Jan, What documentation are you looking at? man ldap.conf(5) doesn't describe the tls_checkpeer setting. Tomas is probably right, the config file should be /etc/openldap/ldap.conf If I try that, I get the following output: [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test debug1: Reading configuration data /etc/openldap/ldap.conf /etc/openldap/ldap.conf: line 6: Bad configuration option: TLS_CACERT /etc/openldap/ldap.conf: line 8: Bad configuration option: TLS_REQCERT debug1: LDAP do connect debug1: LDAP process user ldap_search_st(): Confidentiality required debug1: LDAP do close
Ok, I made the configuration compatibility aliases TLS_CACERT (tls_cacertfile) and TLS_REQCERT (tls_checkpeer).
I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64 Ok, so which file has the right settings? /etc/ldap.conf works, but has a few warnings: [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test debug1: Reading configuration data /etc/ldap.conf /etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute /etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy /etc/ldap.conf: line 10: Bad configuration option: pam_min_uid /etc/ldap.conf: line 11: Bad configuration option: pam_max_uid /etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers /etc/ldap.conf: line 16: Bad configuration option: tls_cafile /etc/ldap.conf: line 17: Bad configuration option: pam_password /etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd /etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow /etc/ldap.conf: line 21: Bad configuration option: nss_base_group debug1: LDAP do connect debug1: LDAP process user ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files debug1: LDAP do close If I use /etc/openldap/ldap.conf, the connection is not switched to TLS: [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f /etc/openldap/ldap.conf -s test debug1: Reading configuration data /etc/openldap/ldap.conf debug1: LDAP do connect debug1: LDAP process user ldap_search_st(): Confidentiality required debug1: LDAP do close Thanks
(In reply to comment #6) > I've just upgraded to openssh-ldap-5.5p1-8.fc14.x86_64 > > Ok, so which file has the right settings? > > /etc/ldap.conf works, but has a few warnings: > > [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -s test > debug1: Reading configuration data /etc/ldap.conf > /etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute > /etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy > /etc/ldap.conf: line 10: Bad configuration option: pam_min_uid > /etc/ldap.conf: line 11: Bad configuration option: pam_max_uid > /etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers > /etc/ldap.conf: line 16: Bad configuration option: tls_cafile > /etc/ldap.conf: line 17: Bad configuration option: pam_password > /etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd > /etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow > /etc/ldap.conf: line 21: Bad configuration option: nss_base_group > debug1: LDAP do connect > debug1: LDAP process user > ssh-rsa this is OK > AAAAB3NzaC1yc2EAAAADAQABAAACAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv > ruben@files > debug1: LDAP do close > > > If I use /etc/openldap/ldap.conf, the connection is not switched to TLS: > [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -w -f > /etc/openldap/ldap.conf -s test > debug1: Reading configuration data /etc/openldap/ldap.conf > debug1: LDAP do connect > debug1: LDAP process user > ldap_search_st(): Confidentiality required > debug1: LDAP do close > do please /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test (add 2 more -v) > > Thanks
> /etc/ldap.conf: line 16: Bad configuration option: tls_cafile what means tls_cafile it's typo or it's a new brand of configuration?
(In reply to comment #7) Ok, here's the output: ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/openldap/ldap.conf -s test debug1: Reading configuration data /etc/openldap/ldap.conf debug3: === Configuration === debug3: URI ldap://ldap.priv.tilaa.nl debug3: Host ldap.priv.tilaa.nl debug3: Port 389 debug3: SSL No debug3: Ldap_Version 3 debug3: Timelimit 10 debug3: Bind_Timelimit 10 debug3: Base dc=tilaa,dc=nl debug3: BindDN debug3: BindPW debug3: Scope Sub debug3: Deref Never debug3: Referrals Yes debug3: Restart Yes debug3: Bind_Policy Hard debug3: SSLPath <UNDEFINED> debug3: TLS_CheckPeer Hard debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem debug3: TLS_CaCertDir /etc/openldap/cacerts debug3: TLS_Ciphers <UNDEFINED> debug3: TLS_Cert <UNDEFINED> debug3: TLS_Key <UNDEFINED> debug3: TLS_RandFile <UNDEFINED> debug3: Logdir <UNDEFINED> debug3: Debug 0 debug3: SSH_Filter debug3: === *** === debug1: LDAP do connect debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem debug3: Set TLS CA cert dir /etc/openldap/cacerts debug3: Set TLS check peer to 1 debug3: LDAP initialize ldap://ldap.priv.tilaa.nl debug3: LDAP set version to 3 debug3: LDAP set rebind proc debug3: LDAP set deref to 0 debug3: LDAP set timelimit to 10 debug3: LDAP set opt network timeout to 10.0 debug3: LDAP set referrals to 1 debug3: LDAP set restart to 1 debug3: LDAP simple bind () debug3: LDAP result in time debug3: LDAP parse result OK debug2: LDAP do connect OK debug1: LDAP process user debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test)) ldap_search_st(): Confidentiality required debug1: LDAP do close debug2: LDAP do close OK And for reference, the output of [ruben@files ~]$ /usr/libexec/openssh/ssh-ldap-helper -v -v -v -w -f /etc/ldap.conf -s test debug1: Reading configuration data /etc/ldap.conf /etc/ldap.conf: line 8: Bad configuration option: pam_login_attribute /etc/ldap.conf: line 9: Bad configuration option: pam_lookup_policy /etc/ldap.conf: line 10: Bad configuration option: pam_min_uid /etc/ldap.conf: line 11: Bad configuration option: pam_max_uid /etc/ldap.conf: line 12: Bad configuration option: nss_initgroups_ignoreusers /etc/ldap.conf: line 17: Bad configuration option: pam_password /etc/ldap.conf: line 19: Bad configuration option: nss_base_passwd /etc/ldap.conf: line 20: Bad configuration option: nss_base_shadow /etc/ldap.conf: line 21: Bad configuration option: nss_base_group debug3: === Configuration === debug3: URI ldap://ldap.priv.tilaa.nl debug3: Host ldap.priv.tilaa.nl debug3: Port 389 debug3: SSL Start_TLS debug3: Ldap_Version 3 debug3: Timelimit 10 debug3: Bind_Timelimit 20 debug3: Base dc=tilaa,dc=nl debug3: BindDN debug3: BindPW debug3: Scope Sub debug3: Deref Never debug3: Referrals Yes debug3: Restart Yes debug3: Bind_Policy Hard debug3: SSLPath <UNDEFINED> debug3: TLS_CheckPeer Hard debug3: TLS_CaCertFile /etc/openldap/cacerts/ca.pem debug3: TLS_CaCertDir /etc/openldap/cacerts debug3: TLS_Ciphers <UNDEFINED> debug3: TLS_Cert <UNDEFINED> debug3: TLS_Key <UNDEFINED> debug3: TLS_RandFile <UNDEFINED> debug3: Logdir <UNDEFINED> debug3: Debug 0 debug3: SSH_Filter debug3: === *** === debug1: LDAP do connect debug3: Set TLS CA cert file /etc/openldap/cacerts/ca.pem debug3: Set TLS CA cert dir /etc/openldap/cacerts debug3: Set TLS check peer to 1 debug3: LDAP initialize ldap://ldap.priv.tilaa.nl debug3: LDAP set version to 3 debug3: LDAP set rebind proc debug3: LDAP set deref to 0 debug3: LDAP set timelimit to 10 debug3: LDAP set opt network timeout to 20.0 debug3: LDAP set referrals to 1 debug3: LDAP set restart to 1 debug3: LDAP start TLS debug3: LDAP simple bind () debug3: LDAP result in time debug3: LDAP parse result OK debug2: LDAP do connect OK debug1: LDAP process user debug3: LDAP search scope = 2 (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=test)) ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5QJURbD721XSQQMV9NgRZ5gI1RPigf13nH647cyL0sRbOJAOrxoQN2L522UrWy5FU+E3s66panx7kNclFLxbP9+I9aZ+g5soWEa+EgHgDRYIWwW5MThMGng8H8l+dm7j5a3vmOJfnx2kzhPNiHX5sfTsSSSQnyYSV6PiWRdy6NenFykVyC8b+Z9Mvy6QJoiWz8xgQWVwK1Or2Rp93tAdO7iW4eN+HFBf+NbNJWg1q8gFvee4mma7WYc/QW2ZKHc6NqWFjGrGKdnv/tNjShjRzFbntUof5vKjzDdovqVMxmxFgovSZLq7cI+JtAH6QivGqy0GQuVNKWiqCT6yF7DMv ruben@files debug2: LDAP process user finished debug1: LDAP do close debug2: LDAP do close OK In this case, start_tls is used. (In reply to comment #8) You're right, it's a typo. We've been using this setting for 2 years now, but it's probably redundant because I also have tls_cacertdir. Btw, the following
I've got ldap public key lookups working now with openssh-ldap-5.5p1-9.fc14.x86_64, thanks! File-based lookups (authorized_keys) stopped working though. Is it possible to fall back to file-based keys when there's no key in ldap? 3 further comments: - man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is ssh-ldap.conf(5) with a dash - The PubkeyAgent section in sshd_config(5) is misformatted - An example config file in /etc/ssh would be nice. Thanks again! Ruben
(In reply to comment #10) > > File-based lookups (authorized_keys) stopped working though. Is it possible to > fall back to file-based keys when there's no key in ldap? I will investigate it. > > 3 further comments: > - man ssh-ldap-helper(8) refers to ssh_ldap.conf(5), but the manpage is > ssh-ldap.conf(5) with a dash > - The PubkeyAgent section in sshd_config(5) is misformatted > - An example config file in /etc/ssh would be nice. All solved in openssh-5.5p1-10
This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle. Changing version to '14'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping