From owner-freebsd-net@FreeBSD.ORG Fri Oct 6 19:31:06 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3257216A5DA for ; Fri, 6 Oct 2006 19:31:06 +0000 (UTC) (envelope-from Juergen.Dankoweit@T-Online.de) Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BE9D43D64 for ; Fri, 6 Oct 2006 19:30:44 +0000 (GMT) (envelope-from Juergen.Dankoweit@T-Online.de) Received: from fwd33.aul.t-online.de by mailout08.sul.t-online.com with smtp id 1GVvP8-0000H5-04; Fri, 06 Oct 2006 21:30:42 +0200 Received: from mail.juergendankoweit.net (EwzmoiZfYe+FEPXsA24echnCqkmkJ24FKEjuLxgIFF67bgbTCScqYW@[84.150.120.203]) by fwd33.sul.t-online.de with esmtp id 1GVvP5-1wKXuC0; Fri, 6 Oct 2006 21:30:39 +0200 Received: from localhost.juergendankoweit.net (localhost.juergendankoweit.net [127.0.0.1]) by mail.juergendankoweit.net (Postfix) with ESMTP id 3B7BD11B01 for ; Fri, 6 Oct 2006 21:31:01 +0200 (CEST) Received: from mail.juergendankoweit.net (localhost.juergendankoweit.net [127.0.0.1]) by localhost.juergendankoweit.net (AvMailGate-2.0.2-15) id 62034-55DABE5A; Fri, 06 Oct 2006 21:31:00 +0200 Received: from primergy470.juergendankoweit.net (primergy470.juergendankoweit.net [192.168.1.1]) by mail.juergendankoweit.net (Postfix) with ESMTP id 3ABE211AAA for ; Fri, 6 Oct 2006 21:31:00 +0200 (CEST) From: Juergen Dankoweit To: FreeBSD-Net Date: Fri, 06 Oct 2006 21:30:58 +0200 Message-Id: <1160163059.4923.6.camel@primergy470.juergendankoweit.net> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Type: multipart/mixed; boundary="=-LxXVbmHBYkxYnlOLy6N2" X-AntiVirus: checked by AntiVir MailGate (version: 2.0.2-15; AVE: 6.34.1.37; VDF: 6.34.1.205; host: primergy470.juergendankoweit.net) X-ID: EwzmoiZfYe+FEPXsA24echnCqkmkJ24FKEjuLxgIFF67bgbTCScqYW X-TOI-MSGID: 1590c641-49ed-42ef-a6dc-2f772dc7eb51 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Passwd troubles with OpenLDAP on FreeBSD 5/6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Juergen.Dankoweit@T-Online.de List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Oct 2006 19:31:06 -0000 --=-LxXVbmHBYkxYnlOLy6N2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello to the list. Since two weeks I try to find out what's going on in my LDAP installation (I've looked/postet in forums and the whole internet, nobody didn't know anything). Changing the password with passwd (I have modified passwd.c to work with LDAP, see attachment) throws out the following message: "Enter login(LDAP) password:" If I enter there the LDAP password which is set in the slapd.conf then the prompt message is repeated. If I enter the password of the logged in user, then I get an error: "permission denied". When I change the password with >>ldappasswd -W -S -D "cn=3DManager,dc=3Djuergendankoweit,dc=3Dnet" "uid=3D,ou=3DUsers,dc=3Djuergendankoweit,dc=3Dnet"<< everything i= s OK. Logging in with that user data is no problem, that works very good. As you can see in the attached files there are no restrictions set (access to * by * write), there is no TLS or SASL. (+) Installed packages n the Client (FreeBSD 6.1): nss_ldap-1.244, pam_ldap-1.8.0, openldap-client-2.2.30 (as dependency of the both first) (+) On the server (FreeBSD 5.4): openldap-server-2.2.30 Many thanks in advance for helping. Best regards J=C3=BCrgen PS: /usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf are the same and ldap.secret contains the same password (here in clear text) as in slapd.conf on the server. PPS: Sorry for the long posting, but I don't know where to do what... -- This e-mail was scanned with a private, non-commercial version of AntiVir MailGate. See http://www.antivir.de for details. --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=system Content-Type: text/plain; name=system; charset=UTF-8 Content-Transfer-Encoding: 7bit # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account sufficient /usr/local/lib/pam_ldap.so config=/usr/local/etc/pam_ldap.conf account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf password required pam_unix.so no_warn try_first_pass --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=slapd.conf Content-Type: text/plain; name=slapd.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit # /usr/local/etc/openldap/slapd.conf # erstellt: 23.02.2006 # # ===================================================================== include /usr/local/etc/openldap/schema/core.schema # include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # fuer Evolution # --------------------------------------------------------------------- include /usr/X11R6/share/gnome/evolution-data-server-1.4/evolutionperson.schema # Zugriffsrechte # --------------------------------------------------------------------- # access to attr=userPassword # by dn="cn=Manager,dc=juergendankoweit,dc=net" write # by self write # by * none access to * by * write allow bind_v2 # PID und ARGS-File # --------------------------------------------------------------------- pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Datenbankberechtigungen und -Konfiguration # --------------------------------------------------------------------- database ldbm directory /database/openldap-data # Basisdatenbank # --------------------------------------------------------------------- suffix "dc=juergendankoweit,dc=net" rootdn "cn=Manager,dc=juergendankoweit,dc=net" # Passwort: ####### rootpw {CRYPT}passwort # Indezierregel fuer Objektklassen # --------------------------------------------------------------------- index objectClass eq TLSVerifyClient never # Debugging # --------------------------------------------------------------------- # loglevel 128 --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=passwd Content-Type: text/plain; name=passwd; charset=UTF-8 Content-Transfer-Encoding: 7bit # # $FreeBSD: src/etc/pam.d/passwd,v 1.3 2003/04/24 12:22:42 des Exp $ # # PAM configuration for the "passwd" service # # passwd(1) does not use the auth, account or session services. # password #password requisite pam_passwdqc.so enforce=users password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf password required pam_unix.so no_warn try_first_pass nullok --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=pam_ldap.conf Content-Type: text/plain; name=pam_ldap.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit uri ldap://192.168.1.1:389 base dc=juergendankoweit,dc=net rootbinddn cn=Manager,dc=juergendankoweit,dc=net ldap_version 3 ssl off bind_timelimit 10 # bind_policy soft pam_password crypt pam_filter objectclass=posixAccount pam_login_attribute uid # pam_member_attribute memberUid scope sub # Debugging # debug 256 # logdir /var/log --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=nss_ldap.conf Content-Type: text/plain; name=nss_ldap.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit uri ldap://192.168.1.1:389 base dc=juergendankoweit,dc=net rootbinddn cn=Manager,dc=juergendankoweit,dc=net ldap_version 3 ssl off bind_timelimit 10 # bind_policy soft scope sub nss_base_passwd ou=Users,dc=juergendankoweit,dc=net?one # nss_base_shadow ou=Users,dc=juergendankoweit,dc=net?one nss_base_group ou=Groups,dc=juergendankoweit,dc=net?one # Debugging # debug 256 # logdir /var/log --=-LxXVbmHBYkxYnlOLy6N2 Content-Disposition: attachment; filename=ldap.conf Content-Type: text/plain; name=ldap.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit uri ldap://192.168.1.1:389 base dc=juergendankoweit,dc=net --=-LxXVbmHBYkxYnlOLy6N2--