Date: Thu, 23 Apr 2009 17:54:52 +0300 From: Panos <panosx13@gmail.com> To: Emiel van de Laar <emiel@vandelaar.name> Cc: Benjamin Lee <ben@b1c1l1.com>, freebsd-questions@FreeBSD.org Subject: Re: PAM-SSH-LDAP problem Message-ID: <49F0813C.1050301@gmail.com> In-Reply-To: <49E9C4E1.6030908@gmail.com> References: <49E8EEF9.5090801@gmail.com> <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name> <49E96265.7050808@gmail.com> <49E9C4E1.6030908@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Anyone????? O/H Panos έγραψε: > I think I found what is the problem but I don't kow how to fix it. > from the error messages err=49 means that the password is wrong. > I'm sure that I type it correctly. > So I captured traffic using whireshark > > when the manager tires toy bind everything is normal and the bind is > succeful. In the field authentication simple of the packet the > password was the correct > but when ldap_test tries to bind the password that it send to ldap > server is INCORECT (0000 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 > the hex field), so ldap server returns invalid credentials. > > I think that this is the problem but I don't have a clue how to solve it. > I can't understand why it sends an incorect password, and most > important which of ssh, pam, pam_ldap has the problem. > > Any ideas? > > > O/H Panos έγραψε: >> O/H Emiel van de Laar έγραψε: >>> >>> On Apr 17, 2009, at 11:04 PM, Panos wrote: >>> >>>> hello I'm trying to setup an ldap for authenticating users. >>>> I think that the ldap server is ok >>>> but ssh gives me an error PAM authntication error illigal user XXX >>>> from XXX.XXX.XXX.XXX >>>> I think that something is wrong when pam-ldap is quering tο ldap. >>>> Fisrt I thounght that was acl problem so I tried something like >>>> this access * by * write >>>> full access to alla but nothing. >>>> When I'm using phpldadmin to connet to ldap I have no problem, >>> >>> [snip] >>> >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from >>>> IP=127.0.0.1:51667 (IP=0.0.0.0:389) >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >>>> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >>>> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE >>>> ssf=0 >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 >>>> err=0 text= >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH >>>> base="ou=users,dc=something,dc=something,dc=something" scope=2 >>>> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT >>>> tag=101 err=0 nentries=0 text=value does not conform to assertion >>>> syntax >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed >>>> (connection lost) >>> >>> I suggest you have a look at the LDAP filter. >>> >>> The log above shows: >>> >>> (&(?objectClass=possixAccount)(uid=ldap_test)) >>> >>> While I expect something like: >>> >>> (&(objectClass=possixAccount)(uid=ldap_test)) >>> >>> i.e. remove the '?'. >>> >>> Regards, >>> >>> - Emiel >> >> I know, I found strange this filter but in my ldpa.conf this is the >> filter line. >> pam_filter objectclass=possixAccount >> So no ? should be in the filter >> i tried without >> pam_filter objectclass=possixAccount >> and the only difference in the logs is instead of >> (&(?objectClass=possixAccount)(uid=ldap_test)) >> I get (uid=ldap_test) but still I can't log in. >> then I tried with filter shadowAccount >> and here is the output >> It says that is not indexed why? >> >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from >> IP=127.0.0.1:49379 (IP=0.0.0.0:389) >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH >> base="ou=users,dc=something,dc=something,dc=something" scope=2 >> deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" >> Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) >> not indexed >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 >> err=0 nentries=1 text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous >> mech=implicit ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND >> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" >> method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection >> lost) >> >> then I tried with this filter >> >> pam_filter objectclass=* >> again the same error >> >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from >> IP=127.0.0.1:58165 (IP=0.0.0.0:389) >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH >> base="ou=users,dc=something,dc=something,dc=something" scope=2 >> deref=0 filter="(&(objectClass=*)(uid=ldap_test))" >> Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) >> not indexed >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT >> tag=101 err=0 nentries=1 text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous >> mech=implicit ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND >> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" >> method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection >> lost) >> >> >> the strange thing is that the ldapsearch command gives me this: >> >> ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' >> '(&(objectClass=*)(uid=ldap_test))' >> >> >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=users,dc=something,dc=something,dc=something> with scope >> subtree >> # filter: (&(objectClass=*)(uid=ldap_test)) >> # requesting: ALL >> # >> >> dn: cn=ldap_test,dc=something,dc=something,dc=something >> cn: ldap_test >> FTPDownloadBandwidth: 20 >> FTPDownloadRatio: 5 >> FTPQuotaFiles: 50 >> FTPQuotaMBytes: 20 >> FTPStatus: enable >> FTPUploadBandwidth: 50 >> FTPUploadRatio: 1 >> gecos: ldap_test >> homeDirectory: /home/ldap/ldap_test >> loginShell: /bin/sh >> mail: ldap_test@something.something >> objectClass: inetOrgPerson >> objectClass: person >> objectClass: posixAccount >> objectClass: PureFTPdUser >> objectClass: radiusprofile >> objectClass: shadowAccount >> objectClass: top >> ou: users >> radiusTunnelMediumType: IEEE-802 >> radiusTunnelPrivateGroupId: 2 >> radiusTunnelType: VLAN >> sn: ldap_test >> uidNumber: 1003 >> uid: ldap_test >> gidNumber: 1000 >> userPassword:: XXXXXX >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F0813C.1050301>