Site Navigation

Date:      Tue, 22 Feb 2011 17:47:06 -0500
From:      Tim Dunphy <bluethundr@gmail.com>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   openldap problems authenticating
Message-ID:  <AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto@mail.gmail.com>

---

next in thread | raw e-mail | index | archive | help

---

--bcaec51d21a07f3ac8049ce6c2aa
Content-Type: text/plain; charset=ISO-8859-1

Hello list,

I am running an openldap 2.4 server under FreeBSD that was working
well until the config was tweaked by someone on the team without
properly documenting their work

# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)

host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com


# grep for ldap account shows ldap account on the ldap server itself succeeds

[root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
[root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
[root@LBSD2:/usr/local/etc/openldap] #





# /etc/ldap.conf on ldap client (centos 5.5)

host LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {crypt}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com

# grep getent passwd for ldap account on the client nothing turns up
after a long pause


[root@LCENT01:~] #getent passwd | grep walbs
[root@LCENT01:~] #


# nsswitch on the client

passwd:     files ldap
shadow:     files ldap
group:      files ldap
sudoers:    ldap
#hosts:     db files nisplus nis dns
hosts:      files dns


# this is what's going on in the logs on the ldap server during th
getent from the #client

Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
IP=192.168.1.42:53811 (IP=192.168.1.44:389)
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed

#ldap search from the client as the pam services account is able to
locate the ldap user info

[root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap
,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com'
 '(uid=walbs)'
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (uid=walbs)
# requesting: ALL
#



# walbs, People, summitnjhome.com
dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
uid: walbs
cn: Walkiria Soares
givenName: Walkiria
sn: Soares
mail: walbs@example.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 1003

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


#pam_ldap services account in the ldap directory

3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}secret


I have also tried doing anonymous binds on the client as well as using
plain text passwords. I get the same tag=97 err=49 messages on the
client either way.

Some advice is sorely needed here. Thank you very kindly in advance!

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

--bcaec51d21a07f3ac8049ce6c2aa
Content-Type: text/plain; charset=US-ASCII; name="slapd.txt"
Content-Disposition: attachment; filename="slapd.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_gkhem4o70

IwojIFNlZSBzbGFwZC5jb25mKDUpIGZvciBkZXRhaWxzIG9uIGNvbmZpZ3VyYXRpb24gb3B0aW9u
cy4KIyBUaGlzIGZpbGUgc2hvdWxkIE5PVCBiZSB3b3JsZCByZWFkYWJsZS4KIwppbmNsdWRlCQkv
dXNyL2xvY2FsL2V0Yy9vcGVubGRhcC9zY2hlbWEvY29yZS5zY2hlbWEKaW5jbHVkZSAgICAgICAg
IC91c3IvbG9jYWwvZXRjL29wZW5sZGFwL3NjaGVtYS9jb3NpbmUuc2NoZW1hCmluY2x1ZGUgICAg
ICAgICAvdXNyL2xvY2FsL2V0Yy9vcGVubGRhcC9zY2hlbWEvaW5ldG9yZ3BlcnNvbi5zY2hlbWEK
CiMgRGVmaW5lIGdsb2JhbCBBQ0xzIHRvIGRpc2FibGUgZGVmYXVsdCByZWFkIGFjY2Vzcy4KCiMg
RG8gbm90IGVuYWJsZSByZWZlcnJhbHMgdW50aWwgQUZURVIgeW91IGhhdmUgYSB3b3JraW5nIGRp
cmVjdG9yeQojIHNlcnZpY2UgQU5EIGFuIHVuZGVyc3RhbmRpbmcgb2YgcmVmZXJyYWxzLgojcmVm
ZXJyYWwJbGRhcDovL3Jvb3Qub3BlbmxkYXAub3JnCgpwaWRmaWxlCQkvdmFyL3J1bi9vcGVubGRh
cC9zbGFwZC5waWQKYXJnc2ZpbGUJL3Zhci9ydW4vb3BlbmxkYXAvc2xhcGQuYXJncwoKIyBMb2Fk
IGR5bmFtaWMgYmFja2VuZCBtb2R1bGVzOgptb2R1bGVwYXRoCS91c3IvbG9jYWwvbGliZXhlYy9v
cGVubGRhcAptb2R1bGVsb2FkCWJhY2tfYmRiCiMgbW9kdWxlbG9hZAliYWNrX2hkYgojIG1vZHVs
ZWxvYWQJYmFja19sZGFwCgojIFNhbXBsZSBzZWN1cml0eSByZXN0cmljdGlvbnMKIwlSZXF1aXJl
IGludGVncml0eSBwcm90ZWN0aW9uIChwcmV2ZW50IGhpamFja2luZykKIwlSZXF1aXJlIDExMi1i
aXQgKDNERVMgb3IgYmV0dGVyKSBlbmNyeXB0aW9uIGZvciB1cGRhdGVzCiMJUmVxdWlyZSA2My1i
aXQgZW5jcnlwdGlvbiBmb3Igc2ltcGxlIGJpbmQKIyBzZWN1cml0eSBzc2Y9MSB1cGRhdGVfc3Nm
PTExMiBzaW1wbGVfYmluZD02NAoKIyBTYW1wbGUgYWNjZXNzIGNvbnRyb2wgcG9saWN5OgojCVJv
b3QgRFNFOiBhbGxvdyBhbnlvbmUgdG8gcmVhZCBpdAojCVN1YnNjaGVtYSAoc3ViKWVudHJ5IERT
RTogYWxsb3cgYW55b25lIHRvIHJlYWQgaXQKIwlPdGhlciBEU0VzOgojCQlBbGxvdyBzZWxmIHdy
aXRlIGFjY2VzcwojCQlBbGxvdyBhdXRoZW50aWNhdGVkIHVzZXJzIHJlYWQgYWNjZXNzCiMJCUFs
bG93IGFub255bW91cyB1c2VycyB0byBhdXRoZW50aWNhdGUKIwlEaXJlY3RpdmVzIG5lZWRlZCB0
byBpbXBsZW1lbnQgcG9saWN5OgojIGFjY2VzcyB0byBkbi5iYXNlPSIiIGJ5ICogcmVhZAojIGFj
Y2VzcyB0byBkbi5iYXNlPSJjbj1TdWJzY2hlbWEiIGJ5ICogcmVhZAojIGFjY2VzcyB0byAqCiMJ
Ynkgc2VsZiB3cml0ZQojCWJ5IHVzZXJzIHJlYWQKIwlieSBhbm9ueW1vdXMgYXV0aAoKCmFjY2Vz
cyB0byBhdHRycz11c2VyUGFzc3dvcmQgYnkgc2VsZiB3cml0ZQogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIGJ5IGFub255bW91cyBhdXRoCgoKYWNjZXNzIHRvICogYnkgc2VsZiB3cml0ZQog
ICAgICAgICAgICBieSBkbi5jaGlsZHJlbj0ib3U9c3RhZmYsZGM9c3VtbWl0bmpob21lLGRjPWNv
bSIgd3JpdGUKICAgICAgICAgICAgYnkgdXNlcnMgcmVhZAogICAgICAgICAgICBieSBhbm9ueW1v
dXMgYXV0aAoKIyBpZiBubyBhY2Nlc3MgY29udHJvbHMgYXJlIHByZXNlbnQsIHRoZSBkZWZhdWx0
IHBvbGljeQojIGFsbG93cyBhbnlvbmUgYW5kIGV2ZXJ5b25lIHRvIHJlYWQgYW55dGhpbmcgYnV0
IHJlc3RyaWN0cwojIHVwZGF0ZXMgdG8gcm9vdGRuLiAgKGUuZy4sICJhY2Nlc3MgdG8gKiBieSAq
IHJlYWQiKQojCiMgcm9vdGRuIGNhbiBhbHdheXMgcmVhZCBhbmQgd3JpdGUgRVZFUllUSElORyEK
CiMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjCiMgQkRCIGRhdGFiYXNlIGRlZmluaXRpb25zCiMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
CgpkYXRhYmFzZQliZGIKc3VmZml4CQkiZGM9c3VtbWl0bmpob21lLGRjPWNvbSIKcm9vdGRuCQki
Y249TWFuYWdlcixkYz1zdW1taXRuamhvbWUsZGM9Y29tIgojIENsZWFydGV4dCBwYXNzd29yZHMs
IGVzcGVjaWFsbHkgZm9yIHRoZSByb290ZG4sIHNob3VsZAojIGJlIGF2b2lkLiAgU2VlIHNsYXBw
YXNzd2QoOCkgYW5kIHNsYXBkLmNvbmYoNSkgZm9yIGRldGFpbHMuCiMgVXNlIG9mIHN0cm9uZyBh
dXRoZW50aWNhdGlvbiBlbmNvdXJhZ2VkLgpyb290cHcJICAgICAgIHtTSEF9SWJJVEJZR1ZZSTlH
azlFUEFRRUI1RncrQjRrPQkKIyBUaGUgZGF0YWJhc2UgZGlyZWN0b3J5IE1VU1QgZXhpc3QgcHJp
b3IgdG8gcnVubmluZyBzbGFwZCBBTkQgCiMgc2hvdWxkIG9ubHkgYmUgYWNjZXNzaWJsZSBieSB0
aGUgc2xhcGQgYW5kIHNsYXAgdG9vbHMuCiMgTW9kZSA3MDAgcmVjb21tZW5kZWQuCmRpcmVjdG9y
eQkvdmFyL2RiL3N1bW1pdG5qaG9tZS5jb20KIyBJbmRpY2VzIHRvIG1haW50YWluCmluZGV4CW9i
amVjdENsYXNzCWVxCg==
--bcaec51d21a07f3ac8049ce6c2aa--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact