Принуждение подключений OpenLDAP к использованию STARTTLS, не позволяющих пользователю войти в систему
у меня есть основной Сервер OpenLDAP, работающий на Ubuntu 16.04LTS который отлично аутентифицирует пользователей, но я действительно хотел сделать его более безопасным, поэтому решил использовать STARTTLS и Как зашифровать соединения OpenLDAP с помощью STARTTLS учебник чтобы все это произошло. До этого момента все шло отлично, как показано на изображении ниже:
После того, как я сделал все, что он сказал мне сделать на изображении выше, я запустил ssh {user-on-openldap-server@localhost} это дало мне сообщение об ошибке:
Permission denied, please try again.
Permission denied (publickey,password).
Примечание: localhost в данном случае был клиентской машиной, на которой я использовал этот Как аутентифицировать клиентские компьютеры с помощью LDAP на Ubuntu 12.04 VPS tutorial настроить его.
P.S Был комментарий к Как зашифровать соединения OpenLDAP с помощью STARTTLS учебник который я использовал для настройки STARTTLS на OpenLDAP, где у пользователя, похоже, была та же проблема, что и у меня, но на его комментарий нет ответа, поэтому я надеюсь уделить его комментарию больше внимания, а также помочь мне. 
Когда я бежал ldapsearch -H ldap://my-ip -x -b "dc=example,dc=com" -LLL -Z -d1 dn
Вот результат этой команды:
ldap_url_parse_ext(ldap://my-ip)
ldap_create
ldap_url_parse_ext(ldap://my-ip:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP my-ip:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 108.75.66.244:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid 1
wait4msg ld 0x55f5ab064a60 msgid 1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid 1 all 1
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid 1 all 1
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg: mark request completed, ld 0x55f5ab064a60 msgid 1
request done: ld 0x55f5ab064a60 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid 2
wait4msg ld 0x55f5ab064a60 msgid 2 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid 2 all 1
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid 2 all 1
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg: mark request completed, ld 0x55f5ab064a60 msgid 2
request done: ld 0x55f5ab064a60 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 60 bytes to sd 4
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 26 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 35 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=admin,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 35 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 45 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=admin,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 43 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=irc,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 44 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=user,ou=groups,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 47 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=ftp-alex,ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=ftp-spencer,ou=users,dc=example,dc=com
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x55f5ab064a60 msgid -1
wait4msg ld 0x55f5ab064a60 msgid -1 (infinite timeout)
wait4msg continue ld 0x55f5ab064a60 msgid -1 all 0
** ld 0x55f5ab064a60 Connections:
* host: my-ip port: 389 (default)
refcnt: 2 status: Connected
last used: Wed May 18 23:57:55 2016
** ld 0x55f5ab064a60 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x55f5ab064a60 request count 1 (abandoned 0)
** ld 0x55f5ab064a60 Response Queue:
Empty
ld 0x55f5ab064a60 response count 0
ldap_chkResponseList ld 0x55f5ab064a60 msgid -1 all 0
ldap_chkResponseList returns ld 0x55f5ab064a60 NULL
ldap_int_select
read1msg: ld 0x55f5ab064a60 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55f5ab064a60 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55f5ab064a60 0 new referrals
read1msg: mark request completed, ld 0x55f5ab064a60 msgid 3
request done: ld 0x55f5ab064a60 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 3, msgid 3)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed
Заранее спасибо, Алекс
Это было очень простое исправление, и мне просто нужно было установить libpam-ldapd на стороне клиента вместо установки libpam-ldap на стороне клиента. Как только я запустил это, у меня появилась возможность использовать starttls.