OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Vincent Danen (vdanen_at_mandrakesoft.com)
Date: Thu Oct 31 2002 - 12:34:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thursday, October 31, 2002, at 01:50 AM, Martin Fahrendorf wrote:

    [...]
    > the pam_ldap is very strict in checking the listed ldap-hostname in the
    > config and in the certificate. If they are different you get no
    > connection. If I see it right, you try to connect to 127.0.0.1
    > (localhost)
    > and the certificate of your ldap-server belongs to the hostname
    > taz.eijk.nu. so they differ and no connection is allowed. change
    > 127.0.0.1
    > to taz.eijk.nu and it should work.

    Do you know if this is the case for nss_ldap as well? Because even a
    "getent passwd" fails for me when TLS is on. I made a new certificate
    and set the hostname on it to logan.danen.net (my test server), but I'm
    connecting to 10.1.5.10 (the server's ip). I'll give it a shot using
    the hostname (since that map is already in /etc/hosts).

    Another thing that irks me about LDAP... maybe someone has a solution
    for this as well.

    If I'm trying to use ssh on a LDAP client or host, it won't work if I'm
    using LDAP to store the host information. I think openssh might be
    reading /etc/hosts directly and then DNS to lookup hostname info, as
    opposed to doing the "right thing" and using the values found in
    nsswitch (or a typical getent).

    For instance, with LDAP disabled and gandalf defined in my /etc/hosts,
    I can do "ssh gandalf" and connect, etc. With LDAP enabled and gandalf
    not in /etc/hosts (because it's being provided by the LDAP server), I
    have to use the IP as ssh returns an unknown host.

    Anyone seen this and/or know a way around it? One of the appeals of
    LDAP, to me, is the ability to serve host information across my LAN
    because I have far too many IPs around here (vmware installs, normal
    machines, etc.). 

    --
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin)

    iD8DBQE9wXevIEPQ5f5vKv0RAvLSAJ9UbaueAE+WJejDc8u5DCka3zN8GgCggCSZ 3dzZBC8Y2GIRHTfvUFHobrM= =vLkV -----END PGP SIGNATURE-----