I reported the bug to red hat.
What is the openldap technical URL where all of the submitted requests are listed on?
Thank you, Liz
From: Matus Honek <mhonek@redhat.commailto:mhonek@redhat.com> Date: Wednesday, May 11, 2016 at 4:13 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: ldap user login attempt kills slapd service
Hello,
as OpenLDAP distributed with RHEL uses NSS for crypto (which is deprecated by OpenLDAP upstream community) please contact Red Hat customer support with the issue. There, please supply full debug-level logs from all servers and client. I have noticed the suppressed log lines from journal in logs you have supplied bellow, which is not sufficient. Thank you for your understanding.
"Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov> writes:
Openldap gurus:
Here is my setup,
LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both servers are configured with multi-master replication. Ldaps is enabled and a ppolicy applied.
LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and openldap client 2.4.40.
I have been troubleshooting this problem for a while and can’t figure out why everytime I try to login to an ldap client with a test user account the slapd service on only one of my ldap servers gets killed.
Both getent and ldapsearch return the expected information when ran on the ldap client: ldapclient ~]# getent passwd realtest realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh
ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' '(uid=realtest)' # extended LDIF # # LDAPv3 # base <ou=People,dc=cluster,dc=sec312> with scope subtree # filter: (uid=realtest) # requesting: ALL #
# realtest, People, cluster.sec312 dn: uid=realtest,ou=People,dc=cluster,dc=sec312 gidNumber: 312 objectClass: account objectClass: top objectClass: posixAccount objectClass: shadowAccount uid: realtest loginShell: /bin/tcsh homeDirectory: /home/real cn: Liz RealTest uidNumber: 1004
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
LDAP SERVER /VAR/LOG/SECURE: serverA journal: Suppressed 19192 messages from /system.slice/slapd.service serverA journal: Suppressed 8449 messages from /system.slice/slapd.service serverA systemd: slapd.service: main process exited, code=killed, status=6/ABRT serverA systemd: Unit slapd.service entered failed state. serverA systemd: slapd.service failed.
LDAP CLIENT /VAR/LOG/SECURE: ldapclient sshd[122938]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=node12.cluster.sec312 user=realtest ldapclient sshd[122938]: pam_sss(sshd:auth): received for user realtest: 7 (Authentication failure) ldapclient sshd[122938]: pam_ldap(sshd:auth): Authentication failure; user=realtest ldapclient sshd[122936]: error: PAM: Authentication failure for realtest from node12.cluster.sec312
ATTEMPT TO SSH AS TEST USER TO LDAP CLIENT: % ssh -v realtest@ldapclient OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 60: Applying options for * debug1: Connecting to ldapclient [] port 22. debug1: Connection established. debug1: could not open key file '/etc/ssh/ssh_host_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission denied debug1: identity file /home/real/.ssh/id_rsa type -1 debug1: identity file /home/real/.ssh/id_rsa-cert type -1 debug1: identity file /home/real/.ssh/id_dsa type -1 debug1: identity file /home/real/.ssh/id_dsa-cert type -1 debug1: identity file /home/real/.ssh/id_ecdsa type -1 debug1: identity file /home/real/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/real/.ssh/id_ed25519 type -1 debug1: identity file /home/real/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.commailto:hmac-md5-etm@openssh.com none debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.commailto:hmac-md5-etm@openssh.com none debug1: kex: curve25519-sha256@libssh.orgmailto:curve25519-sha256@libssh.org need=16 dh_need=16 debug1: kex: curve25519-sha256@libssh.orgmailto:curve25519-sha256@libssh.org need=16 dh_need=16 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 14:c5:c2:60:29:ce:99:aa:67:41:a6:6a:11:2c:ca:86 debug1: Host 'ldapclient' is known and matches the ECDSA host key. debug1: Found key in /home/real/.ssh/known_hosts:22 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,hostbased debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Next authentication method: hostbased debug1: No more client hostkeys for hostbased authentication. debug1: Next authentication method: publickey debug1: Trying private key: /home/real/.ssh/id_rsa debug1: Trying private key: /home/real/.ssh/id_dsa debug1: Trying private key: /home/real/.ssh/id_ecdsa debug1: Trying private key: /home/real/.ssh/id_ed25519 debug1: Next authentication method: keyboard-interactive Password: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive,host based
Any help will be greatly appreciated!
Thank you, Liz
-- Matus Honek Associate Software Engineer @ Red Hat, Inc.