From owner-freebsd-questions@FreeBSD.ORG  Sat Apr 18 05:19:01 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BE8F7106566C
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Apr 2009 05:19:01 +0000 (UTC)
	(envelope-from panosx13@gmail.com)
Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com
	[209.85.220.167])
	by mx1.freebsd.org (Postfix) with ESMTP id 267EA8FC1B
	for <freebsd-questions@freebsd.org>;
	Sat, 18 Apr 2009 05:19:00 +0000 (UTC)
	(envelope-from panosx13@gmail.com)
Received: by fxm11 with SMTP id 11so1176338fxm.43
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Apr 2009 22:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:cc:subject:references:in-reply-to
	:content-type:content-transfer-encoding;
	bh=QCSoG/erI2KBVhn50hbxOAQRV43GyacjU1Wlae5WU6M=;
	b=GPLbNjbSn39DVn9npY5UHcLEkJQeyQVFUgDJmfyGmUMttftw36SCQAL/NG+f6dzAc0
	qRAPHhJSrElmgMMzcWr4XdcZ79LtcbN3ZKdndGZgm2xbQ1W0oSbk42gZKbsMJ4aPqah1
	o+0fKqAhPJuad3sEy7+BTKN9tbFffaihgZqk0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	b=CAvKUQMDkApFwA3mGps1NLRsTYOQpg9QV1vpVuIekAkTkOfX0TPGt5WpSZ2Mc4FJWP
	aTyqLDvJc0dz+61nnFQ/EnHP43WSW9rbvdJD+HyNtRtST/EKoJzU1tr8Ddpa7XgczsyA
	hnj+RNXwOhT4WuoFnbhTDGa6EdlXc5flm3WL8=
Received: by 10.103.249.19 with SMTP id b19mr1826128mus.86.1240031940006;
	Fri, 17 Apr 2009 22:19:00 -0700 (PDT)
Received: from ?192.168.2.3? (athedsl-292860.home.otenet.gr [85.73.191.154])
	by mx.google.com with ESMTPS id g1sm7817764muf.42.2009.04.17.22.18.59
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Fri, 17 Apr 2009 22:18:59 -0700 (PDT)
Message-ID: <49E96265.7050808@gmail.com>
Date: Sat, 18 Apr 2009 08:17:25 +0300
From: Panos <panosx13@gmail.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Emiel van de Laar <emiel@vandelaar.name>
References: <49E8EEF9.5090801@gmail.com>
	<A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name>
In-Reply-To: <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@FreeBSD.org
Subject: Re: PAM-SSH-LDAP problem
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Apr 2009 05:19:02 -0000

O/H Emiel van de Laar έγραψε:
>
> On Apr 17, 2009, at 11:04 PM, Panos wrote:
>
>> hello I'm trying to setup an ldap for authenticating users.
>> I think that the ldap server is ok
>> but ssh gives me an error PAM authntication error illigal user XXX 
>> from XXX.XXX.XXX.XXX
>> I think that something is wrong when pam-ldap is quering tο ldap.
>> Fisrt I thounght that was acl problem so I tried something like this 
>> access * by * write
>> full access to alla but nothing.
>> When I'm using phpldadmin to connet to ldap I have no problem,
>
> [snip]
>
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from 
>> IP=127.0.0.1:51667 (IP=0.0.0.0:389)
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
>> dn="cn=manager,dc=something,dc=something,dc=something" method=128
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
>> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 
>> text=
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH 
>> base="ou=users,dc=something,dc=something,dc=something" scope=2 
>> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))"
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT 
>> tag=101 err=0 nentries=0 text=value does not conform to assertion syntax
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection 
>> lost)
>
> I suggest you have a look at the LDAP filter.
>
> The log above shows:
>
> (&(?objectClass=possixAccount)(uid=ldap_test))
>
> While I expect something like:
>
> (&(objectClass=possixAccount)(uid=ldap_test))
>
> i.e. remove the '?'.
>
> Regards,
>
>  - Emiel

I know, I found strange this filter but in my ldpa.conf this is the 
filter line.
pam_filter objectclass=possixAccount
So no ? should be in the filter
i tried without
pam_filter objectclass=possixAccount
and the only difference in the logs is instead of
(&(?objectClass=possixAccount)(uid=ldap_test))
I  get (uid=ldap_test) but still I can't log in.
then I tried with filter shadowAccount
and here is the output
It says that is not indexed why?

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from 
IP=127.0.0.1:49379 (IP=0.0.0.0:389)
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
filter="(&(objectClass=shadowAccount)(uid=ldap_test))"
Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
not indexed
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous 
mech=implicit ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND 
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost)

then I tried with this filter

pam_filter objectclass=*
again the same error

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from 
IP=127.0.0.1:58165 (IP=0.0.0.0:389)
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
filter="(&(objectClass=*)(uid=ldap_test))"
Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
not indexed
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous 
mech=implicit ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND 
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection lost)


the strange thing is that the ldapsearch command gives me this:

ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' 
'(&(objectClass=*)(uid=ldap_test))'


# extended LDIF
#
# LDAPv3
# base <ou=users,dc=something,dc=something,dc=something> with scope subtree
# filter: (&(objectClass=*)(uid=ldap_test))
# requesting: ALL
#

dn: cn=ldap_test,dc=something,dc=something,dc=something
cn: ldap_test
FTPDownloadBandwidth: 20
FTPDownloadRatio: 5
FTPQuotaFiles: 50
FTPQuotaMBytes: 20
FTPStatus: enable
FTPUploadBandwidth: 50
FTPUploadRatio: 1
gecos: ldap_test
homeDirectory: /home/ldap/ldap_test
loginShell: /bin/sh
mail: ldap_test@something.something
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: PureFTPdUser
objectClass: radiusprofile
objectClass: shadowAccount
objectClass: top
ou: users
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 2
radiusTunnelType: VLAN
sn: ldap_test
uidNumber: 1003
uid: ldap_test
gidNumber: 1000
userPassword:: XXXXXX

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1