Re: PAM-SSH-LDAP problem
i had some trouble because of corrupted indices with ldap. running slapindex fixed, it. can you try that? alwin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: PAM-SSH-LDAP problem
You had said: O/H Panos έγραψε: the strange thing is that the ldapsearch command gives me this: ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '(&(objectClass=*)(uid=ldap_test))' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=*)(uid=ldap_test)) # requesting: ALL dn: cn=ldap_test,dc=something,dc=something,dc=something cn: ldap_test [...] gecos: ldap_test homeDirectory: /home/ldap/ldap_test loginShell: /bin/sh [...] uidNumber: 1003 uid: ldap_test gidNumber: 1000 userPassword:: XX And then later: O/H Panos έγραψε: I think I found what is the problem but I don't kow how to fix it. from the error messages err=49 means that the password is wrong. I'm sure that I type it correctly. So I captured traffic using whireshark when the manager tires toy bind everything is normal and the bind is succeful. In the field authentication simple of the packet the password was the correct but when ldap_test tries to bind the password that it send to ldap server is INCORECT ( 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 the hex field), so ldap server returns invalid credentials. I think that this is the problem but I don't have a clue how to solve it. I can't understand why it sends an incorect password, and most important which of ssh, pam, pam_ldap has the problem. Any ideas? On 2009, Apr 23, at 09:54, Panos wrote: Anyone? With the "later" message where you say you found a message that the bind attempt resulted in the password reported as "INCORRECT", I do not see you describe how you initiated the BIND attempt, only that you captured it with wireshark. When you login as "cn=manager,[...]" that you say works, is that via ssh, or your admin tool you mentioned in a previous message, or more directly using something like ldapsearch(1)? I highly recommend you test things from the ground-up to try and find at which level the failure is occurring: network (already covered, you know you can talk to the LDAP server from the client you are testing) LDAP: Try performing the LDAP searches "manually" using ldapsearch(1), more on that below Account: getent passwd ldap_test SSH: If those work, try more logging in the PAM or SSH layers For doing the direct LDAP test, you've already checked that the entry is in your database: ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '(&(objectClass=*)(uid=ldap_test))' next, make sure you can actually bind as that user: % ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' - D 'cn=ldap_test,dc=something,dc=something,dc=something' -W '(&(objectClass=*)(uid=ldap_test))' Enter LDAP Password: x [...] If that fails, bump up the logging on either the client and/or server side of the LDAP server and see what clues you get from those logs. If it works, move on to the next layer and see if it can properly access the information you could get manually. -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: PAM-SSH-LDAP problem
Anyone? O/H Panos έγραψε: I think I found what is the problem but I don't kow how to fix it. from the error messages err=49 means that the password is wrong. I'm sure that I type it correctly. So I captured traffic using whireshark when the manager tires toy bind everything is normal and the bind is succeful. In the field authentication simple of the packet the password was the correct but when ldap_test tries to bind the password that it send to ldap server is INCORECT ( 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 the hex field), so ldap server returns invalid credentials. I think that this is the problem but I don't have a clue how to solve it. I can't understand why it sends an incorect password, and most important which of ssh, pam, pam_ldap has the problem. Any ideas? O/H Panos έγραψε: O/H Emiel van de Laar έγραψε: On Apr 17, 2009, at 11:04 PM, Panos wrote: hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, [snip] Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) I suggest you have a look at the LDAP filter. The log above shows: (&(?objectClass=possixAccount)(uid=ldap_test)) While I expect something like: (&(objectClass=possixAccount)(uid=ldap_test)) i.e. remove the '?'. Regards, - Emiel I know, I found strange this filter but in my ldpa.conf this is the filter line. pam_filter objectclass=possixAccount So no ? should be in the filter i tried without pam_filter objectclass=possixAccount and the only difference in the logs is instead of (&(?objectClass=possixAccount)(uid=ldap_test)) I get (uid=ldap_test) but still I can't log in. then I tried with filter shadowAccount and here is the output It says that is not indexed why? Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from IP=127.0.0.1:49379 (IP=0.0.0.0:389) Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost) then I tried with this filter pam_filter objectclass=* again the same error Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from IP=127.0.0.1:58165 (IP=0.0.0.0:389) Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=*)(uid=ldap_test)
Re: PAM-SSH-LDAP problem
I think I found what is the problem but I don't kow how to fix it. from the error messages err=49 means that the password is wrong. I'm sure that I type it correctly. So I captured traffic using whireshark when the manager tires toy bind everything is normal and the bind is succeful. In the field authentication simple of the packet the password was the correct but when ldap_test tries to bind the password that it send to ldap server is INCORECT ( 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 the hex field), so ldap server returns invalid credentials. I think that this is the problem but I don't have a clue how to solve it. I can't understand why it sends an incorect password, and most important which of ssh, pam, pam_ldap has the problem. Any ideas? O/H Panos έγραψε: O/H Emiel van de Laar έγραψε: On Apr 17, 2009, at 11:04 PM, Panos wrote: hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, [snip] Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) I suggest you have a look at the LDAP filter. The log above shows: (&(?objectClass=possixAccount)(uid=ldap_test)) While I expect something like: (&(objectClass=possixAccount)(uid=ldap_test)) i.e. remove the '?'. Regards, - Emiel I know, I found strange this filter but in my ldpa.conf this is the filter line. pam_filter objectclass=possixAccount So no ? should be in the filter i tried without pam_filter objectclass=possixAccount and the only difference in the logs is instead of (&(?objectClass=possixAccount)(uid=ldap_test)) I get (uid=ldap_test) but still I can't log in. then I tried with filter shadowAccount and here is the output It says that is not indexed why? Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from IP=127.0.0.1:49379 (IP=0.0.0.0:389) Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost) then I tried with this filter pam_filter objectclass=* again the same error Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from IP=127.0.0.1:58165 (IP=0.0.0.0:389) Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=*)(uid=ldap_test))" Apr 18 08:07:28 FreeBSD slapd[59
Re: PAM-SSH-LDAP problem
O/H Benjamin Lee έγραψε: On 04/17/2009 02:04 PM, Panos wrote: hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, [...] Have you enabled ldap in /etc/nsswitch.conf? You may find it helpful to read through the FreeBSD LDAP Authentication article[1]. [1] http://www.freebsd.org/doc/en/articles/ldap-auth/index.html yes i have done this my ldap.conf file BASEdc=something,dc=something,dc=something URI ldap://127.0.0.1 ssl start_tls tls_cacertt /etc/certs/cert.crt my ldapsearch wokrs fine. without TLS. using TLS (-Z) ldap_start_tls: Connect error (-11) but for now I think that this is not the problem, for pam I don't use lpads:// search but ldap so when I find out what wrong is with pam and ldap I'll check for the cerificates. although openssl s_client -port 636 gives this output CONNECTED(0003) depth=0 /C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x verify error:num=18:self signed certificate verify return:1 depth=0 /C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x verify return:1 --- Certificate chain 0 s:/C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x i:/C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x --- Server certificate -BEGIN CERTIFICATE- xx xx xx -END CERTIFICATE- subject=/C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x issuer=/C=xx/ST=/L=/O=/OU=e/CN=x/emailaddress=xx...@x --- No client certificate CA names sent --- SSL handshake has read 861 bytes and written 334 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: x Session-ID-ctx: Master-Key: xxx Key-Arg : None Start Time: 1240044283 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- my nsswitch.conf file group: ldap files group_compat: nis hosts: files dns networks: files group: ldap files passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also tried group: files ldap passwd: files ldap but still nothing I've started and restarted nscd many times but stiil nothing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: PAM-SSH-LDAP problem
O/H Emiel van de Laar έγραψε: On Apr 17, 2009, at 11:04 PM, Panos wrote: hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, [snip] Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) I suggest you have a look at the LDAP filter. The log above shows: (&(?objectClass=possixAccount)(uid=ldap_test)) While I expect something like: (&(objectClass=possixAccount)(uid=ldap_test)) i.e. remove the '?'. Regards, - Emiel I know, I found strange this filter but in my ldpa.conf this is the filter line. pam_filter objectclass=possixAccount So no ? should be in the filter i tried without pam_filter objectclass=possixAccount and the only difference in the logs is instead of (&(?objectClass=possixAccount)(uid=ldap_test)) I get (uid=ldap_test) but still I can't log in. then I tried with filter shadowAccount and here is the output It says that is not indexed why? Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from IP=127.0.0.1:49379 (IP=0.0.0.0:389) Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost) then I tried with this filter pam_filter objectclass=* again the same error Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from IP=127.0.0.1:58165 (IP=0.0.0.0:389) Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=*)(uid=ldap_test))" Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[
Re: PAM-SSH-LDAP problem
On Apr 17, 2009, at 11:04 PM, Panos wrote: hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, [snip] Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) I suggest you have a look at the LDAP filter. The log above shows: (&(?objectClass=possixAccount)(uid=ldap_test)) While I expect something like: (&(objectClass=possixAccount)(uid=ldap_test)) i.e. remove the '?'. Regards, - Emiel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: PAM-SSH-LDAP problem
On 04/17/2009 02:04 PM, Panos wrote: > hello I'm trying to setup an ldap for authenticating users. > I think that the ldap server is ok > but ssh gives me an error PAM authntication error illigal user XXX from > XXX.XXX.XXX.XXX > I think that something is wrong when pam-ldap is quering tο ldap. > Fisrt I thounght that was acl problem so I tried something like this > access * by * write > full access to alla but nothing. > When I'm using phpldadmin to connet to ldap I have no problem, [...] Have you enabled ldap in /etc/nsswitch.conf? You may find it helpful to read through the FreeBSD LDAP Authentication article[1]. [1] http://www.freebsd.org/doc/en/articles/ldap-auth/index.html -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
PAM-SSH-LDAP problem
hello I'm trying to setup an ldap for authenticating users. I think that the ldap server is ok but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX I think that something is wrong when pam-ldap is quering tο ldap. Fisrt I thounght that was acl problem so I tried something like this access * by * write full access to alla but nothing. When I'm using phpldadmin to connet to ldap I have no problem, my ldap.conf base dc=something,dc=something,dc=something uri ldap://XXX.XXX.XXX.XXX/ ldap_version 3 binddn cn=manager,dc=something,dc=something,dc=something bindpw password(uncrypted) scope sub pam_filter objectclass=possixAccount pam_login_attribute uid pam_check_host_attr yes pam_check_service_attr no nss_base_passwdou=users,dc=something,dc=something,dc=something?sub nss_base_shadowou=users,dc=something,dc=something,dc=something?sub nss_base_group ou=groups,dc=something,dc=something,dc=something?sub I have tried this too but still nothing base dc=something,dc=something,dc=something uri ldap://XXX.XXX.XXX.XXX/ ldap_version 3 binddn cn=manager,dc=something,dc=something,dc=something bindpw password(uncrypted) scope sub pam_filter objectclass=possixAccount pam_login_attribute uid nss_base_passwdou=users,dc=something,dc=something,dc=something?sub nss_base_shadowou=users,dc=something,dc=something,dc=something?sub nss_base_group ou=groups,dc=something,dc=something,dc=something?sub my nss_ldap.conf base ou=users,dc=something,dc=something,dc=something uri ldap://XXX.XXX.XXX.XXX/ ldap_version 3 my slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/sendmail.schema include /usr/local/etc/openldap/schema/pureftpd.schema include /usr/local/etc/openldap/schema/radius.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args loglevel -256 sizelimit 1000 lastmod on modulepath /usr/local/libexec/openldap moduleload back_bdb access to * by self write by dn="cn=Manager,dc=something,dc=something,dc=something" write by users read by anonymous auth access to attr=userPassword by dn="cn=Manager,dc=something,dc=something,dc=something" write by anonymous auth by self write by * none databasebdb suffix "dc=something,dc=something,dc=something" rootdn "cn=Manager,dc=something,dc=something,dc=something" rootpw {CRYPT}PASSWORD. directory /var/db/openldap-data TLSVerifyClient demand TLSCertificateFile /etc/certs/cert.crt TLSCertificateKeyFile /etc/certs/cert.key TLSCACertificateFile/etc/certs/cert.crt TLSCipherSuite HIGH:MEDIUM:+SSLv2 index objectClass eq index uid eq,pres index cn eq,pres index maileq,pres index ou eq,pres,sub index uidnumber eq,pres index gidnumber eq,pres my pam.d/ssh authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_ldap.so no_warn authrequiredpam_unix.so no_warn try_first_pass # account account requiredpam_nologin.so no_warn account requiredpam_login_access.so account required/usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user # session session requiredpam_permit.so # password passwordrequiredpam_unix.so no_warn try_first_pass and my ldap.log output Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) if you could help me I would be gratefull. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-u