From owner-freebsd-questions@FreeBSD.ORG Sat Apr 18 05:51:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D08BD1065675 for ; Sat, 18 Apr 2009 05:51:54 +0000 (UTC) (envelope-from panosx13@gmail.com) Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com [209.85.220.167]) by mx1.freebsd.org (Postfix) with ESMTP id 39BC78FC19 for ; Sat, 18 Apr 2009 05:51:54 +0000 (UTC) (envelope-from panosx13@gmail.com) Received: by fxm11 with SMTP id 11so1180678fxm.43 for ; Fri, 17 Apr 2009 22:51:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=OR9iKVYM2x9X0uWk2W0WafjTIfetDdl3MJLfCy4yhnE=; b=j8u3qeXr4Hi5rW0UgYejb49a1u4GeN+ObpHadHxgcKde0OPGoALs372anUkEag31wZ 7AHdIj5y+6gtHcoRUA0ydcvbXn08MOdwFgBXYWrmFinnkx86ieqVFShzbQFYvhAfToLT Fdu5ynLABCw1a5Gbw5WKbw7iN1Ces/mcD/tRk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=QTZPxsAodVZzxFOtm1ib67nMLZI34eeVtEKzGZZ5llpVP3sqrYlhVoQ4AhEDuVQs3g 1hqUcXiPGW9v+Bb4Xl0oEjI7yy5b9uL2IEzzdlwZxMwlqOyi89NKhnyzB3H6SzTLf0c9 2oDz8cTa2tcSERjh9OJf6oz4bgyEwjgwiP3LE= Received: by 10.103.24.17 with SMTP id b17mr1833094muj.112.1240033913322; Fri, 17 Apr 2009 22:51:53 -0700 (PDT) Received: from ?192.168.2.3? (athedsl-292860.home.otenet.gr [85.73.191.154]) by mx.google.com with ESMTPS id s11sm7844469mue.47.2009.04.17.22.51.52 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 17 Apr 2009 22:51:53 -0700 (PDT) Message-ID: <49E96A1A.5060605@gmail.com> Date: Sat, 18 Apr 2009 08:50:18 +0300 From: Panos User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Benjamin Lee References: <49E8EEF9.5090801@gmail.com> <49E9035C.4000107@b1c1l1.com> In-Reply-To: <49E9035C.4000107@b1c1l1.com> Content-Type: text/plain; charset=ISO-8859-7; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@FreeBSD.org Subject: Re: PAM-SSH-LDAP problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Apr 2009 05:51:55 -0000 O/H Benjamin Lee Ýãñáøå: > On 04/17/2009 02:04 PM, Panos wrote: > >> hello I'm trying to setup an ldap for authenticating users. >> I think that the ldap server is ok >> but ssh gives me an error PAM authntication error illigal user XXX from >> XXX.XXX.XXX.XXX >> I think that something is wrong when pam-ldap is quering tï ldap. >> Fisrt I thounght that was acl problem so I tried something like this >> access * by * write >> full access to alla but nothing. >> When I'm using phpldadmin to connet to ldap I have no problem, >> > [...] > > Have you enabled ldap in /etc/nsswitch.conf? > > You may find it helpful to read through the FreeBSD LDAP Authentication > article[1]. > > [1] http://www.freebsd.org/doc/en/articles/ldap-auth/index.html > > > yes i have done this my ldap.conf file BASE dc=something,dc=something,dc=something URI ldap://127.0.0.1 ssl start_tls tls_cacertt /etc/certs/cert.crt my ldapsearch wokrs fine. without TLS. using TLS (-Z) ldap_start_tls: Connect error (-11) but for now I think that this is not the problem, for pam I don't use lpads:// search but ldap so when I find out what wrong is with pam and ldap I'll check for the cerificates. although openssl s_client -port 636 gives this output CONNECTED(00000003) depth=0 /C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx verify error:num=18:self signed certificate verify return:1 depth=0 /C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx verify return:1 --- Certificate chain 0 s:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx i:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx --- Server certificate -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx .... -----END CERTIFICATE----- subject=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx issuer=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx@xxxxxxxxxxxxx --- No client certificate CA names sent --- SSL handshake has read 861 bytes and written 334 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Session-ID-ctx: Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key-Arg : None Start Time: 1240044283 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- my nsswitch.conf file group: ldap files group_compat: nis hosts: files dns networks: files group: ldap files passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I also tried group: files ldap passwd: files ldap but still nothing I've started and restarted nscd many times but stiil nothing.