From owner-freebsd-questions@FreeBSD.ORG Tue Jul 3 18:44:39 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 780BE16A469 for ; Tue, 3 Jul 2007 18:44:39 +0000 (UTC) (envelope-from emss@free.fr) Received: from kellthuzad.dmz.nerim.net (smtp-dmz-232-tuesday.dmz.nerim.net [195.5.254.232]) by mx1.freebsd.org (Postfix) with ESMTP id E053513C48A for ; Tue, 3 Jul 2007 18:44:38 +0000 (UTC) (envelope-from emss@free.fr) Received: from kraid.nerim.net (smtp-102-tuesday.nerim.net [62.4.16.102]) by kellthuzad.dmz.nerim.net (Postfix) with ESMTP id 326FE14110 for ; Tue, 3 Jul 2007 20:14:28 +0200 (CEST) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by kraid.nerim.net (Postfix) with ESMTP id 9A2AACF0AE for ; Tue, 3 Jul 2007 20:14:33 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by srvbsdnanssv.interne.kisoft-services.com (Postfix) with ESMTP id 27EA2DCB4 for ; Tue, 3 Jul 2007 20:14:33 +0200 (CEST) X-Virus-Scanned: amavisd-new at interne.kisoft-services.com Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) by localhost (srvbsdnanssv.interne.kisoft-services.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAyGZ0lir0KP for ; Tue, 3 Jul 2007 20:14:25 +0200 (CEST) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 7EC02DCAA; Tue, 3 Jul 2007 20:14:25 +0200 (CEST) To: Mailing List FreeBSD Questions From: Eric Masson X-Operating-System: FreeBSD 6.2-RELEASE-p5 i386 Date: Tue, 03 Jul 2007 20:14:25 +0200 Message-ID: <86sl85tkvy.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Cc: Subject: pam_ldap issues X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2007 18:44:39 -0000 --=-=-= Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit Hello, I'm trying to setup authentication via a ldap directory on a 6.2-p5 box. id queries regarding a ldap defined user using root or a local defined user work fine : admin@box:~> id testuser uid=2000(testuser) gid=2000(test) groups=2000(test) root@box:~> id testuser uid=2000(testuser) gid=2000(test) groups=2000(test) testuser can't log on the box (authentication failed). The following message pops on the console : Jul 3 19:08:03 box login: pam_ldap: error trying to bind as user "cn=testuser,ou=people,dc=interne,dc=example,dc=org" (Invalid credentials) Openldap logs an error 49 (see attached file). It seems that nss works but not pam. ldap related configuration follows : base dc=interne,dc=example,dc=org uri ldap://127.0.0.1:389/ logdir /var/log/ldap #debug 256 timeout 5 bind_timeout 5 bind_policy soft rootbinddn cn=Manager,dc=interne,dc=example,dc=org nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one nss_base_group ou=groups,dc=interne,dc=example,dc=org?one include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb access to dn.base="" by self write by * auth access to attrs=userPassword by self write by * auth access to attrs=shadowLastChange by self write by * auth access to * by * read by anonymous auth schemacheck on idletimeout 30 backend bdb database bdb suffix "dc=interne, dc=example, dc=org" rootdn "cn=Manager, dc=interne, dc=example, dc=org" rootpw password checkpoint 1024 5 cachesize 10000 directory /var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass group: files ldap group_compat: nis hosts: files dns networks: files passwd: files ldap passwd_compat: nis shells: files Directory has been initialized with the following ldif file dn: dc=interne,dc=example,dc=org dc: interne objectClass: top objectClass: domain objectClass: domainRelatedObject associatedDomain: interne.example.fr structuralObjectClass: domain dn: ou=groups,dc=interne,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: groups structuralObjectClass: organizationalUnit dn: ou=people,dc=interne,dc=example,dc=org objectClass: top objectClass: organizationalUnit ou: people structuralObjectClass: organizationalUnit dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org cn: testuser sn: Dummy objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount uid: testuser userPassword: testuser uidNumber: 2000 gidNumber: 2000 gecos: Test User loginShell: /bin/csh homeDirectory: /home/test structuralObjectClass: person dn: cn=test,ou=groups,dc=interne,dc=example,dc=org objectClass: top objectClass: posixGroup cn: test gidNumber: 2000 memberUid: test structuralObjectClass: posixGroup This is driving me nuts. Has anyone an idea ? TIA Regards -- JMM> (padfonetik) sauf erreur de ma part, nous ne sommes pas sur IRC j'ai ma fiancée qui veut que j'évite d'écrire sur l'ordi alors je le fais en cachette ou en tous cas le plus rapidement possible -+- JC in www.le-gnu.net : Trop au lit pour être au net -+- --=-=-= Content-Disposition: attachment; filename=ldap.log Jul 3 19:01:00 box slapd[1414]: slapd starting Jul 3 19:01:05 box slapd[1414]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:50293 (IP=0.0.0.0:389) Jul 3 19:01:05 box slapd[1414]: conn=0 op=0 BIND dn="" method=128 Jul 3 19:01:05 box slapd[1414]: conn=0 op=0 RESULT tag=97 err=0 text= Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))" Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))" Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))" Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 19:01:05 box slapd[1414]: conn=1 fd=14 ACCEPT from IP=127.0.0.1:62723 (IP=0.0.0.0:389) Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128 Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0 Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 RESULT tag=97 err=0 text= Jul 3 19:01:05 box slapd[1414]: conn=1 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(uid=testuser)" Jul 3 19:01:05 box slapd[1414]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND anonymous mech=implicit ssf=0 Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128 Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0 Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 RESULT tag=97 err=0 text= Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 BIND anonymous mech=implicit ssf=0 Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 BIND dn="cn=testuser,ou=people,dc=interne,dc=example,dc=org" method=128 Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 RESULT tag=97 err=49 text= Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128 Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0 Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 RESULT tag=97 err=0 text= Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))" Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 19:01:06 box slapd[1414]: conn=1 op=5 UNBIND Jul 3 19:01:06 box slapd[1414]: conn=1 fd=14 closed Jul 3 19:01:44 box slapd[1414]: conn=0 fd=11 closed (idletimeout) --=-=-=--