Site Navigation

Date:      Sat, 18 Apr 2009 00:04:57 +0300
From:      Panos <panosx13@gmail.com>
To:        freebsd-questions@FreeBSD.org
Subject:   PAM-SSH-LDAP problem
Message-ID:  <49E8EEF9.5090801@gmail.com>

---

next in thread | raw e-mail | index | archive | help

---

hello I'm trying to setup an ldap for authenticating users.
I think that the ldap server is ok
but ssh gives me an error PAM authntication error illigal user XXX from 
XXX.XXX.XXX.XXX
I think that something is wrong when pam-ldap is quering tï ldap.
Fisrt I thounght that was acl problem so I tried something like this 
access * by * write
full access to alla but nothing.
When I'm using phpldadmin to connet to ldap I have no problem,
my ldap.conf
base dc=something,dc=something,dc=something
uri ldap://XXX.XXX.XXX.XXX/
ldap_version 3
binddn cn=manager,dc=something,dc=something,dc=something
bindpw password(uncrypted)
scope sub
pam_filter objectclass=possixAccount
pam_login_attribute uid
pam_check_host_attr yes
pam_check_service_attr no
nss_base_passwd        ou=users,dc=something,dc=something,dc=something?sub
nss_base_shadow        ou=users,dc=something,dc=something,dc=something?sub
nss_base_group         ou=groups,dc=something,dc=something,dc=something?sub

I have tried this too but still nothing

base dc=something,dc=something,dc=something
uri ldap://XXX.XXX.XXX.XXX/
ldap_version 3
binddn cn=manager,dc=something,dc=something,dc=something
bindpw password(uncrypted)
scope sub
pam_filter objectclass=possixAccount
pam_login_attribute uid
nss_base_passwd        ou=users,dc=something,dc=something,dc=something?sub
nss_base_shadow        ou=users,dc=something,dc=something,dc=something?sub
nss_base_group         ou=groups,dc=something,dc=something,dc=something?sub



my nss_ldap.conf

base ou=users,dc=something,dc=something,dc=something
uri ldap://XXX.XXX.XXX.XXX/
ldap_version 3


my slapd.conf

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/sendmail.schema
include         /usr/local/etc/openldap/schema/pureftpd.schema
include         /usr/local/etc/openldap/schema/radius.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel -256
sizelimit 1000
lastmod on

modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

access to *
       by self write
       by dn="cn=Manager,dc=something,dc=something,dc=something" write
       by users read
       by anonymous auth

access to attr=userPassword
       by dn="cn=Manager,dc=something,dc=something,dc=something" write
       by anonymous auth
       by self write
       by * none

database        bdb
suffix          "dc=something,dc=something,dc=something"
rootdn          "cn=Manager,dc=something,dc=something,dc=something"
rootpw  {CRYPT}PASSWORD.

directory       /var/db/openldap-data

TLSVerifyClient demand

TLSCertificateFile      /etc/certs/cert.crt
TLSCertificateKeyFile   /etc/certs/cert.key
TLSCACertificateFile    /etc/certs/cert.crt
TLSCipherSuite HIGH:MEDIUM:+SSLv2

index   objectClass     eq
index  uid             eq,pres
index  cn              eq,pres
index  mail            eq,pres
index  ou              eq,pres,sub
index  uidnumber       eq,pres
index  gidnumber       eq,pres


my pam.d/ssh

auth            sufficient      pam_opie.so             no_warn 
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn
auth            required        pam_unix.so             no_warn 
try_first_pass

# account
account         required        pam_nologin.so                  no_warn
account         required        pam_login_access.so
account         required        /usr/local/lib/pam_ldap.so      no_warn 
ignore_authinfo_unavail ignore_unknown_user


# session
session         required        pam_permit.so

# password
password        required        pam_unix.so             no_warn 
try_first_pass

and my ldap.log output

Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from 
IP=127.0.0.1:51667 (IP=0.0.0.0:389)
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text=
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
filter="(&(?objectClass=possixAccount)(uid=ldap_test))"
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 
err=0 nentries=0 text=value does not conform to assertion syntax
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost)



if you could help me I would be gratefull.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E8EEF9.5090801>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact