Hi Folks,
I have a openldap server version slapd 2.4.16 running on a Solaris-10 OS. I have generated the self signed CA certificate on the ldap server to use TLS and configured the slapd.conf with certificate information. I am looking to get LDAP authentication using TLS on the ldap client side. I was able to setup centos-6.3 linux as ldap client using openldap client to LDAP authentication using TLS but I am having issues to setup a Solaris-10 OS using native LDAP client software. Solaris-10 LDAP client is setup using 'ldapclient manaul' and certificate was added using certutil command.
Here is error messages seeing when trying to authenticate when using LDAP-TLS in sladp.log file on the openldap server side,
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 848112 local4.debug] conn=1270 fd=25 ACCEPT from IP=10.90.180.236:41051 (IP=0.0.0.0:636)
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 25r
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 694296 local4.debug] daemon: read activity on 25
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 525477 local4.debug] connection_get(25)
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 611214 local4.debug] connection_get(25): got connid=1270
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 138202 local4.debug] connection_read(25): checking for input on id=1270
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 25r
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 694296 local4.debug] daemon: read activity on 25
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 525477 local4.debug] connection_get(25)
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 611214 local4.debug] connection_get(25): got connid=1270
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 138202 local4.debug] connection_read(25): checking for input on id=1270
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 688457 local4.debug] connection_read(25): TLS accept failure error=-1 id=1270, closing
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 734893 local4.debug] connection_closing: readying conn=1270 sd=25 for close
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 330685 local4.debug] connection_close: conn=1270 sd=25
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 609413 local4.debug] daemon: waked
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 423323 local4.debug] daemon: removing 25
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 485650 local4.debug] conn=1270 fd=25 closed (TLS negotiation failure)
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=7 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=8 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=9 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 538834 local4.debug] daemon: select: listen=10 active_threads=1 tvp=zero
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 601841 local4.debug] daemon: activity on 1 descriptor
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 802679 local4.debug] daemon: activity on:
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 522297 local4.debug] 23r
Jan 14 14:51:53 ldapsrv slapd[543]: [ID 100000 local4.debug]
On the ldap client side I have enabled pam debugging and I see the following error messages associated with it,
Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 492885 auth.debug] PAM[6459]: pam_setcred(80c9bd8, 2)
Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 931871 auth.debug] PAM[6459]: load_modules(80c9bd8, pam_sm_setcred)=/usr/lib/security/pam_authtok_get.s
o.1
Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 962116 auth.debug] PAM[6459]: pam_setcred(80c9bd8, 2): error Permission denied
Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 509612 auth.debug] PAM[6459]: pam_set_item(80c9bd8:authtok)
Jan 14 14:52:34 drac9ec2 sshd[6459]: [ID 725776 auth.debug] PAM[6459]: pam_end(80c9bd8): status = Permission denied
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:authtok)
Jan 14 14:52:45 drac9ec2 last message repeated 1 time
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 887652 auth.debug] PAM[6820]: pam_authenticate(80c9bd8, 1): error Authentication failed
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint ldapusr2), flags = 1
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 293258 auth.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDA
P server
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 887652 auth.debug] PAM[6820]: pam_authenticate(80c9bd8, 1): error Permission denied
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:authtok)
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication fa
iled
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapusr2 from 10.90.176.38 port 44078 ssh2
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 826707 auth.debug] PAM[6820]: pam_set_item(80c9bd8:conv)
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 814791 auth.debug] PAM[6820]: pam_end(80c9bd8): status = Authentication failed
Jan 14 14:52:45 drac9ec2 sshd[6820]: [ID 324150 auth.debug] PAM[6820]: pam_start(sshd-kbdint,ldapusr2,80a98a8:80c9bd8) - debug = 1
Here is the ldapclient I have ran to setup the ldapclient,
ldapclient -v manual -a defaultServerList=10.90.177.2 -a credentialLevel=anonymous -a domainName=dvsg-ldap.com -a defaultSearchBase=dc=dvsg-ldap,dc=com -a authenticationMethod=tls:simple -a serviceAuthenticationMethod=pam_ldap:tls:simple -a proxyDN=cn=readonly,dc=dvsg-ldap,dc=com -a proxyPassword=secret -a certificatePath=/var/ldap
Any guidance or help to resolve this issue would be most appreciated.
thank you, Arvind.