From owner-freebsd-questions@FreeBSD.ORG  Wed Feb 23 20:22:30 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4926A1065695
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2011 20:22:30 +0000 (UTC)
	(envelope-from valentin.bud@gmail.com)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com
	[209.85.161.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 021C28FC17
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2011 20:22:29 +0000 (UTC)
Received: by gxk7 with SMTP id 7so1756008gxk.13
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2011 12:22:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc:content-type;
	bh=mL7Cj18fskcSDDvD7o4WCJCtMccZX7q7HKqKeWmX5aw=;
	b=kBIg5pV0TpLxck0aseEuznnYIT1CfDj/m9/n1sZlqE4G5E6/8FFHC45+Tc+6bvZJSL
	hw3zQJvkXjwLq96E3Iz8JO5YUV/3rircUB+1xp1rJFieDh6233+GUzzZhRJCYBLbQdUz
	IFzL8s742wvX71B61+5+RVFZFD3rKIt9DNPKs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type;
	b=a6ikJZPmzclYJIxNEmMpZ84g70AWmlR5uUlSGzdeyCShnzm/uDjRZpJfcjdEQ9ysqh
	hbN0JZkW6IkoqzOYLjRKod+V77PTKtt3KIBbrpjShQxDJF/gDB26uXAjCrC9J8q7iSB2
	Fv/QEWECTH/hIOpS3qF6Wkpa6+G8XtEXA/OCg=
Received: by 10.100.107.18 with SMTP id f18mr1948716anc.181.1298491183143;
	Wed, 23 Feb 2011 11:59:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.110.2 with HTTP; Wed, 23 Feb 2011 11:59:23 -0800 (PST)
In-Reply-To: <AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto@mail.gmail.com>
References: <AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto@mail.gmail.com>
From: Valentin Bud <valentin.bud@gmail.com>
Date: Wed, 23 Feb 2011 21:59:23 +0200
Message-ID: <AANLkTikiN01TO1+a4eAjbrpgYbR24XV7MOCrmi5y6sXO@mail.gmail.com>
To: Tim Dunphy <bluethundr@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: openldap problems authenticating
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 20:22:30 -0000

On Wed, Feb 23, 2011 at 12:47 AM, Tim Dunphy <bluethundr@gmail.com> wrote:

> Hello list,
>
> I am running an openldap 2.4 server under FreeBSD that was working
> well until the config was tweaked by someone on the team without
> properly documenting their work
>
> # /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)
>
> host LBSD.summitnjhome.com
> base dc=summitnjhome,dc=com
> sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
> bindpw {SSHA}secret
> scope sub
> pam_password exop
> nss_base_passwd ou=staff,dc=summitnjhome,dc=com
> nss_base_shadow ou=staff,dc=summitnjhome,dc=com
>
>
> # grep for ldap account shows ldap account on the ldap server itself
> succeeds
>
> [root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
> walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
> [root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
> [root@LBSD2:/usr/local/etc/openldap] #
>
>
>
>
>
> # /etc/ldap.conf on ldap client (centos 5.5)
>
> host LBSD2.summitnjhome.com
> base dc=summitnjhome,dc=com
> sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
> binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
> bindpw {crypt}secret
> scope sub
> pam_password exop
> nss_base_passwd ou=staff,dc=summitnjhome,dc=com
> nss_base_shadow ou=staff,dc=summitnjhome,dc=com
>
> # grep getent passwd for ldap account on the client nothing turns up
> after a long pause
>
>
> [root@LCENT01:~] #getent passwd | grep walbs
> [root@LCENT01:~] #
>
>
> # nsswitch on the client
>
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> sudoers:    ldap
> #hosts:     db files nisplus nis dns
> hosts:      files dns
>
>
> # this is what's going on in the logs on the ldap server during th
> getent from the #client
>
> Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49
> text=
> Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
> Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
> Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
> IP=192.168.1.42:53811 (IP=192.168.1.44:389)
> Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
> dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
> Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49
> text=
> Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
> Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed
>
> #ldap search from the client as the pam services account is able to
> locate the ldap user info
>
> [root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D
> 'cn=pam_ldap
> ,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b
> 'dc=summitnjhome,dc=com'
>  '(uid=walbs)'
> # extended LDIF
> #
> # LDAPv3
> # base <dc=summitnjhome,dc=com> with scope subtree
> # filter: (uid=walbs)
> # requesting: ALL
> #
>
>
>
> # walbs, People, summitnjhome.com
> dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
> uid: walbs
> cn: Walkiria Soares
> givenName: Walkiria
> sn: Soares
> mail: walbs@example.com
> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> uidNumber: 1002
> gidNumber: 1003
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> #pam_ldap services account in the ldap directory
>
> 3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
> cn: pam_ldap
> objectClass: top
> objectClass: inetOrgPerson
> sn: PAM
> userPassword: {SSHA}secret
>
>
> I have also tried doing anonymous binds on the client as well as using
> plain text passwords. I get the same tag=97 err=49 messages on the
> client either way.
>
> Some advice is sorely needed here. Thank you very kindly in advance!
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>

Hello Tim,

 First of all: err=49 message in LDAP logs mean some kind of invalid
credentials
(user or password, either tls but this is not the case).

 After reading the mail a few times I have noticed something strange:

host LBSD.summitnjhome.com <http://lbsd.summitnjhome.com/>
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
*bindpw {SSHA}secret*

and on the client:

host LBSD2.summitnjhome.com <http://lbsd2.summitnjhome.com/>
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
*bindpw {crypt}secret*

I honestly say that I have never seen the password entry preceded
by the algo used to encrypt it in ldap.conf.

Anyway, logs are no liar so you should double check for user/password
combination in config files. This is backed up by the fact that the direct
ldapsearch from CLI works. For sure on CLI you enter the correct password.

my 7c,
v
-- 
network warrior