"Access Denied" when trying to authenticate with SSHD.NLM

SSHD.NLM authenticates users over a secure LDAP connection with the local LDAP service (NLDAP.NLM) by default. The NLDAP.NLM will send the Public Key Certificate as configured with the LDAP Server object to the LDAP client for data encryption. The LDAP client will only accept the Public Key Certificate and continue the connection if the corresponding Trusted Root Certificate from the LDAP server matches the local RootCert.der file.

A valid version of RootCert.der existed in SYS:\PUBLIC\, but SYS:\SYSTEM\ contained an invalid version of the RootCert.der file. It seems that SSHD.NLM or the LDAP client prefers the version of RootCert.der in SYS:\SYSTEM\ over the version in SYS:\PUBLIC\ when it validates the Trusted Root Certificate and because the copy in SYS:\SYSTEM\ did not match the LDAP Server's Trusted Root Certificate, the LDAP client did not trust the LDAP server being authentic and discontinued the LDAP connection.

 

Removing the invalid SYS:\SYSTEM\RootCert.der file resolved the problem.

SSHD.NLM recognizes the following LDAP configuration option in SSHD_CONFIG, which allows you to specify among other details the location of the RootCert.der file used for secure LDAP connections:

ldapauthhost [LDAP_SERVER] [PORT] [SECURE] [CERT_FILE]

For example:

ldapauthhost 127.0.0.1 636 secure sys:/public/rootcert.der
ldapauthhost 192.168.1.2 636 secure

Each subsequent parameter is optional. You can for example specify the [LDAP_SERVER] only. If you want to specify the [PORT] you will also need to specify the [LDAP_SERVER]. About the [SECURE] parameter, anything else but "secure", for example "unsecure" can be used to make SSHD.NLM authenticate eDirectory users over clear-text LDAP connections.  To allow authentication over clear-text LDAP connections, you will need to disable 'Require TLS for all operations' on the LDAP Server object and to disable 'Require TLS for Simple Binds with Password' on the LDAP Group object.

 

NOTE:  Although SSHD recognizes the "ldapauthhost" parameter, it is not fully supported.  For a systematic approach or for troubleshooting, Novell recommends getting SSH functioning properly before attempting to use this parameter.  If SSH will work properly when using the local LDAP server, then experimentation with pointing to another LDAP server could be done.

If you want to make sure you are using the right RootCert.der file with SSHD.NLM, you can examine the following instructions:

1) Go to the iManager HTML page, login as administrator, open the 'LDAP' menu in the left panel and select 'LDAP Overview'.
2) Click the +-sign in front of the LDAP Group object of the server, where you connect to with SSHD.NLM for LDAP authentication (which is by default the NetWare server that runs SSHD.NLM).
3) Click on the LDAP Server object under the concerning LDAP Group object.
4) Select the 'Connections' configuration page of the LDAP Server object. The 'Server Certificate' field reads which certificate the LDAP server uses for secure LDAP connections. The default is "SSL CertificateDNS"
5) Make sure you have logged in as administrator on your workstation and launch ConsoleOne.
6) Browse to the container, where the Key Material Object of the Server Certificate, which you identified with instruction #4, resides. This is by default the server's container.
7) Right-click on the concerning Key Material Object (by default "SSL CertificateDNS - <servername>") and select 'Properties...'
8) At the 'Certicates' configuration page, select the 'Trusted Root Certificate' and click the 'Export'-button.
9) Answer the question "Do you want to export the private key with the certicate?" with "No" (default answer) and click the 'Next>'-button.
10) Choose to export the certificate to a file in binary DER format (default selection), specify a file name (RootCert.der) and click the 'Next>'-button.
11) Click the 'Finish' button to perform the export.
12) Copy the resulting RootCert.der file to a volume of the NetWare server that runs SSHD.NLM and make sure you specify the location of the RootCert.der with the "ldapauthhost' option in SSHD_CONFIG if it is not located in SYS:\SYSTEM\ or SYS:\PUBLIC\.

 

Formerly known as TID# 10100793