From owner-freebsd-questions@FreeBSD.ORG Tue Feb 22 22:47:07 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF93F106566C for ; Tue, 22 Feb 2011 22:47:07 +0000 (UTC) (envelope-from bluethundr@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id B65D48FC17 for ; Tue, 22 Feb 2011 22:47:07 +0000 (UTC) Received: by iwn33 with SMTP id 33so2163373iwn.13 for ; Tue, 22 Feb 2011 14:47:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=y/BJbmHkFkdNbAC9k1b2Hnqvgah7xRqldlxHgM9jABg=; b=KLZM2A2AxFEZN7dCSgA3zSTogkPC1iL5u3LlFSFMQDBqOO+g7Yvzp9c/+AyUpAm/T7 +6JJzFJ0cy0NOmVBOmtIWZif9RLR0Nr9HHW34OdTdrqEtKknphVS1fELNirNhmJbxKnE 7MjX+cYueKbFzwxagJ8gsG4sVdX4z7x5xb76k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=HOBMZAVRzKvLBqS7GdikZzrCFvYUXqWbgWF6zQPcJY+5mUxm0HTPcmYcVpW2d0b/6k iYweu6ikTY9aRwKJSP5FjSg1LpmfytGrbWmK5ESAzbKRB8RknFLVvh19qgQcmTi3oFFv wenGZrKlTpCWqwsqDZyFL2X4hFmv8gLTSIbLo= MIME-Version: 1.0 Received: by 10.43.65.80 with SMTP id xl16mr4256393icb.244.1298414826371; Tue, 22 Feb 2011 14:47:06 -0800 (PST) Received: by 10.42.228.7 with HTTP; Tue, 22 Feb 2011 14:47:06 -0800 (PST) Date: Tue, 22 Feb 2011 17:47:06 -0500 Message-ID: From: Tim Dunphy To: freebsd-questions Content-Type: multipart/mixed; boundary=bcaec51d21a07f3ac8049ce6c2aa Subject: openldap problems authenticating X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2011 22:47:08 -0000 --bcaec51d21a07f3ac8049ce6c2aa Content-Type: text/plain; charset=ISO-8859-1 Hello list, I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work # /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1) host LBSD.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {SSHA}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com # grep for ldap account shows ldap account on the ldap server itself succeeds [root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash [root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd [root@LBSD2:/usr/local/etc/openldap] # # /etc/ldap.conf on ldap client (centos 5.5) host LBSD2.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {crypt}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com # grep getent passwd for ldap account on the client nothing turns up after a long pause [root@LCENT01:~] #getent passwd | grep walbs [root@LCENT01:~] # # nsswitch on the client passwd: files ldap shadow: files ldap group: files ldap sudoers: ldap #hosts: db files nisplus nis dns hosts: files dns # this is what's going on in the logs on the ldap server during th getent from the #client Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from IP=192.168.1.42:53811 (IP=192.168.1.44:389) Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128 Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed #ldap search from the client as the pam services account is able to locate the ldap user info [root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap ,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=walbs)' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (uid=walbs) # requesting: ALL # # walbs, People, summitnjhome.com dn: uid=walbs,ou=People,dc=summitnjhome,dc=com uid: walbs cn: Walkiria Soares givenName: Walkiria sn: Soares mail: walbs@example.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1002 gidNumber: 1003 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 #pam_ldap services account in the ldap directory 3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com cn: pam_ldap objectClass: top objectClass: inetOrgPerson sn: PAM userPassword: {SSHA}secret I have also tried doing anonymous binds on the client as well as using plain text passwords. I get the same tag=97 err=49 messages on the client either way. Some advice is sorely needed here. Thank you very kindly in advance! -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B --bcaec51d21a07f3ac8049ce6c2aa Content-Type: text/plain; charset=US-ASCII; name="slapd.txt" Content-Disposition: attachment; filename="slapd.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gkhem4o70 IwojIFNlZSBzbGFwZC5jb25mKDUpIGZvciBkZXRhaWxzIG9uIGNvbmZpZ3VyYXRpb24gb3B0aW9u cy4KIyBUaGlzIGZpbGUgc2hvdWxkIE5PVCBiZSB3b3JsZCByZWFkYWJsZS4KIwppbmNsdWRlCQkv dXNyL2xvY2FsL2V0Yy9vcGVubGRhcC9zY2hlbWEvY29yZS5zY2hlbWEKaW5jbHVkZSAgICAgICAg IC91c3IvbG9jYWwvZXRjL29wZW5sZGFwL3NjaGVtYS9jb3NpbmUuc2NoZW1hCmluY2x1ZGUgICAg ICAgICAvdXNyL2xvY2FsL2V0Yy9vcGVubGRhcC9zY2hlbWEvaW5ldG9yZ3BlcnNvbi5zY2hlbWEK CiMgRGVmaW5lIGdsb2JhbCBBQ0xzIHRvIGRpc2FibGUgZGVmYXVsdCByZWFkIGFjY2Vzcy4KCiMg RG8gbm90IGVuYWJsZSByZWZlcnJhbHMgdW50aWwgQUZURVIgeW91IGhhdmUgYSB3b3JraW5nIGRp cmVjdG9yeQojIHNlcnZpY2UgQU5EIGFuIHVuZGVyc3RhbmRpbmcgb2YgcmVmZXJyYWxzLgojcmVm ZXJyYWwJbGRhcDovL3Jvb3Qub3BlbmxkYXAub3JnCgpwaWRmaWxlCQkvdmFyL3J1bi9vcGVubGRh cC9zbGFwZC5waWQKYXJnc2ZpbGUJL3Zhci9ydW4vb3BlbmxkYXAvc2xhcGQuYXJncwoKIyBMb2Fk IGR5bmFtaWMgYmFja2VuZCBtb2R1bGVzOgptb2R1bGVwYXRoCS91c3IvbG9jYWwvbGliZXhlYy9v cGVubGRhcAptb2R1bGVsb2FkCWJhY2tfYmRiCiMgbW9kdWxlbG9hZAliYWNrX2hkYgojIG1vZHVs ZWxvYWQJYmFja19sZGFwCgojIFNhbXBsZSBzZWN1cml0eSByZXN0cmljdGlvbnMKIwlSZXF1aXJl IGludGVncml0eSBwcm90ZWN0aW9uIChwcmV2ZW50IGhpamFja2luZykKIwlSZXF1aXJlIDExMi1i aXQgKDNERVMgb3IgYmV0dGVyKSBlbmNyeXB0aW9uIGZvciB1cGRhdGVzCiMJUmVxdWlyZSA2My1i aXQgZW5jcnlwdGlvbiBmb3Igc2ltcGxlIGJpbmQKIyBzZWN1cml0eSBzc2Y9MSB1cGRhdGVfc3Nm PTExMiBzaW1wbGVfYmluZD02NAoKIyBTYW1wbGUgYWNjZXNzIGNvbnRyb2wgcG9saWN5OgojCVJv b3QgRFNFOiBhbGxvdyBhbnlvbmUgdG8gcmVhZCBpdAojCVN1YnNjaGVtYSAoc3ViKWVudHJ5IERT RTogYWxsb3cgYW55b25lIHRvIHJlYWQgaXQKIwlPdGhlciBEU0VzOgojCQlBbGxvdyBzZWxmIHdy aXRlIGFjY2VzcwojCQlBbGxvdyBhdXRoZW50aWNhdGVkIHVzZXJzIHJlYWQgYWNjZXNzCiMJCUFs bG93IGFub255bW91cyB1c2VycyB0byBhdXRoZW50aWNhdGUKIwlEaXJlY3RpdmVzIG5lZWRlZCB0 byBpbXBsZW1lbnQgcG9saWN5OgojIGFjY2VzcyB0byBkbi5iYXNlPSIiIGJ5ICogcmVhZAojIGFj Y2VzcyB0byBkbi5iYXNlPSJjbj1TdWJzY2hlbWEiIGJ5ICogcmVhZAojIGFjY2VzcyB0byAqCiMJ Ynkgc2VsZiB3cml0ZQojCWJ5IHVzZXJzIHJlYWQKIwlieSBhbm9ueW1vdXMgYXV0aAoKCmFjY2Vz cyB0byBhdHRycz11c2VyUGFzc3dvcmQgYnkgc2VsZiB3cml0ZQogICAgICAgICAgICAgICAgICAg ICAgICAgICAgIGJ5IGFub255bW91cyBhdXRoCgoKYWNjZXNzIHRvICogYnkgc2VsZiB3cml0ZQog ICAgICAgICAgICBieSBkbi5jaGlsZHJlbj0ib3U9c3RhZmYsZGM9c3VtbWl0bmpob21lLGRjPWNv bSIgd3JpdGUKICAgICAgICAgICAgYnkgdXNlcnMgcmVhZAogICAgICAgICAgICBieSBhbm9ueW1v dXMgYXV0aAoKIyBpZiBubyBhY2Nlc3MgY29udHJvbHMgYXJlIHByZXNlbnQsIHRoZSBkZWZhdWx0 IHBvbGljeQojIGFsbG93cyBhbnlvbmUgYW5kIGV2ZXJ5b25lIHRvIHJlYWQgYW55dGhpbmcgYnV0 IHJlc3RyaWN0cwojIHVwZGF0ZXMgdG8gcm9vdGRuLiAgKGUuZy4sICJhY2Nlc3MgdG8gKiBieSAq IHJlYWQiKQojCiMgcm9vdGRuIGNhbiBhbHdheXMgcmVhZCBhbmQgd3JpdGUgRVZFUllUSElORyEK CiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjCiMgQkRCIGRhdGFiYXNlIGRlZmluaXRpb25zCiMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj CgpkYXRhYmFzZQliZGIKc3VmZml4CQkiZGM9c3VtbWl0bmpob21lLGRjPWNvbSIKcm9vdGRuCQki Y249TWFuYWdlcixkYz1zdW1taXRuamhvbWUsZGM9Y29tIgojIENsZWFydGV4dCBwYXNzd29yZHMs IGVzcGVjaWFsbHkgZm9yIHRoZSByb290ZG4sIHNob3VsZAojIGJlIGF2b2lkLiAgU2VlIHNsYXBw YXNzd2QoOCkgYW5kIHNsYXBkLmNvbmYoNSkgZm9yIGRldGFpbHMuCiMgVXNlIG9mIHN0cm9uZyBh dXRoZW50aWNhdGlvbiBlbmNvdXJhZ2VkLgpyb290cHcJICAgICAgIHtTSEF9SWJJVEJZR1ZZSTlH azlFUEFRRUI1RncrQjRrPQkKIyBUaGUgZGF0YWJhc2UgZGlyZWN0b3J5IE1VU1QgZXhpc3QgcHJp b3IgdG8gcnVubmluZyBzbGFwZCBBTkQgCiMgc2hvdWxkIG9ubHkgYmUgYWNjZXNzaWJsZSBieSB0 aGUgc2xhcGQgYW5kIHNsYXAgdG9vbHMuCiMgTW9kZSA3MDAgcmVjb21tZW5kZWQuCmRpcmVjdG9y eQkvdmFyL2RiL3N1bW1pdG5qaG9tZS5jb20KIyBJbmRpY2VzIHRvIG1haW50YWluCmluZGV4CW9i amVjdENsYXNzCWVxCg== --bcaec51d21a07f3ac8049ce6c2aa--