Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 18 Apr 2009 00:15:13 +0200
From:      Emiel van de Laar <emiel@vandelaar.name>
To:        Panos <panosx13@gmail.com>
Cc:        freebsd-questions@FreeBSD.org
Subject:   Re: PAM-SSH-LDAP problem
Message-ID:  <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name>
In-Reply-To: <49E8EEF9.5090801@gmail.com>
References:  <49E8EEF9.5090801@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Apr 17, 2009, at 11:04 PM, Panos wrote:

> hello I'm trying to setup an ldap for authenticating users.
> I think that the ldap server is ok
> but ssh gives me an error PAM authntication error illigal user XXX =20
> from XXX.XXX.XXX.XXX
> I think that something is wrong when pam-ldap is quering t=CE=BF ldap.
> Fisrt I thounght that was acl problem so I tried something like this =20=

> access * by * write
> full access to alla but nothing.
> When I'm using phpldadmin to connet to ldap I have no problem,

[snip]

> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 fd=3D11 ACCEPT from =20
> IP=3D127.0.0.1:51667 (IP=3D0.0.0.0:389)
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 op=3D0 BIND =20
> dn=3D"cn=3Dmanager,dc=3Dsomething,dc=3Dsomething,dc=3Dsomething" =
method=3D128
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 op=3D0 BIND =20
> dn=3D"cn=3Dmanager,dc=3Dsomething,dc=3Dsomething,dc=3Dsomething" =
mech=3DSIMPLE =20
> ssf=3D0
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 op=3D0 RESULT tag=3D97 =
err=3D0 =20
> text=3D
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 op=3D1 SRCH =20
> base=3D"ou=3Dusers,dc=3Dsomething,dc=3Dsomething,dc=3Dsomething" =
scope=3D2 =20
> deref=3D0 filter=3D"(&(?objectClass=3DpossixAccount)(uid=3Dldap_test))"
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 op=3D1 SEARCH RESULT =20
> tag=3D101 err=3D0 nentries=3D0 text=3Dvalue does not conform to =
assertion =20
> syntax
> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=3D0 fd=3D11 closed =
(connection =20
> lost)

I suggest you have a look at the LDAP filter.

The log above shows:

(&(?objectClass=3DpossixAccount)(uid=3Dldap_test))

While I expect something like:

(&(objectClass=3DpossixAccount)(uid=3Dldap_test))

i.e. remove the '?'.

Regards,

  - Emiel=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A801857E-A18F-461C-95EB-6A6149AFE731>