Date: Sat, 18 Apr 2009 08:50:18 +0300 From: Panos <panosx13@gmail.com> To: Benjamin Lee <ben@b1c1l1.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: PAM-SSH-LDAP problem Message-ID: <49E96A1A.5060605@gmail.com> In-Reply-To: <49E9035C.4000107@b1c1l1.com> References: <49E8EEF9.5090801@gmail.com> <49E9035C.4000107@b1c1l1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
O/H Benjamin Lee Ýãñáøå: > On 04/17/2009 02:04 PM, Panos wrote: > >> hello I'm trying to setup an ldap for authenticating users. >> I think that the ldap server is ok >> but ssh gives me an error PAM authntication error illigal user XXX from >> XXX.XXX.XXX.XXX >> I think that something is wrong when pam-ldap is quering tï ldap. >> Fisrt I thounght that was acl problem so I tried something like this >> access * by * write >> full access to alla but nothing. >> When I'm using phpldadmin to connet to ldap I have no problem, >> > [...] > > Have you enabled ldap in /etc/nsswitch.conf? > > You may find it helpful to read through the FreeBSD LDAP Authentication > article[1]. > > [1] http://www.freebsd.org/doc/en/articles/ldap-auth/index.html > > > yes i have done this my ldap.conf file BASE dc=something,dc=something,dc=something URI ldap://127.0.0.1 ssl start_tls tls_cacertt /etc/certs/cert.crt my ldapsearch wokrs fine. without TLS. using TLS (-Z) ldap_start_tls: Connect error (-11) but for now I think that this is not the problem, for pam I don't use lpads:// search but ldap so when I find out what wrong is with pam and ldap I'll check for the cerificates. although openssl s_client -port 636 gives this output CONNECTED(00000003) depth=0 /C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx verify error:num=18:self signed certificate verify return:1 depth=0 /C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx verify return:1 --- Certificate chain 0 s:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx i:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx --- Server certificate -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx .... -----END CERTIFICATE----- subject=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx issuer=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx --- No client certificate CA names sent --- SSL handshake has read 861 bytes and written 334 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Session-ID-ctx: Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key-Arg : None Start Time: 1240044283 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- my nsswitch.conf file group: ldap files group_compat: nis hosts: files dns networks: files group: ldap files passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also tried group: files ldap passwd: files ldap but still nothing I've started and restarted nscd many times but stiil nothing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E96A1A.5060605>