Date: Sat, 18 Apr 2009 08:17:25 +0300 From: Panos <panosx13@gmail.com> To: Emiel van de Laar <emiel@vandelaar.name> Cc: freebsd-questions@FreeBSD.org Subject: Re: PAM-SSH-LDAP problem Message-ID: <49E96265.7050808@gmail.com> In-Reply-To: <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name> References: <49E8EEF9.5090801@gmail.com> <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name>
next in thread | previous in thread | raw e-mail | index | archive | help
O/H Emiel van de Laar έγραψε: > > On Apr 17, 2009, at 11:04 PM, Panos wrote: > >> hello I'm trying to setup an ldap for authenticating users. >> I think that the ldap server is ok >> but ssh gives me an error PAM authntication error illigal user XXX >> from XXX.XXX.XXX.XXX >> I think that something is wrong when pam-ldap is quering tο ldap. >> Fisrt I thounght that was acl problem so I tried something like this >> access * by * write >> full access to alla but nothing. >> When I'm using phpldadmin to connet to ldap I have no problem, > > [snip] > >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from >> IP=127.0.0.1:51667 (IP=0.0.0.0:389) >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 >> text= >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH >> base="ou=users,dc=something,dc=something,dc=something" scope=2 >> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT >> tag=101 err=0 nentries=0 text=value does not conform to assertion syntax >> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection >> lost) > > I suggest you have a look at the LDAP filter. > > The log above shows: > > (&(?objectClass=possixAccount)(uid=ldap_test)) > > While I expect something like: > > (&(objectClass=possixAccount)(uid=ldap_test)) > > i.e. remove the '?'. > > Regards, > > - Emiel I know, I found strange this filter but in my ldpa.conf this is the filter line. pam_filter objectclass=possixAccount So no ? should be in the filter i tried without pam_filter objectclass=possixAccount and the only difference in the logs is instead of (&(?objectClass=possixAccount)(uid=ldap_test)) I get (uid=ldap_test) but still I can't log in. then I tried with filter shadowAccount and here is the output It says that is not indexed why? Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from IP=127.0.0.1:49379 (IP=0.0.0.0:389) Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost) then I tried with this filter pam_filter objectclass=* again the same error Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from IP=127.0.0.1:58165 (IP=0.0.0.0:389) Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=*)(uid=ldap_test))" Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection lost) the strange thing is that the ldapsearch command gives me this: ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '(&(objectClass=*)(uid=ldap_test))' # extended LDIF # # LDAPv3 # base <ou=users,dc=something,dc=something,dc=something> with scope subtree # filter: (&(objectClass=*)(uid=ldap_test)) # requesting: ALL # dn: cn=ldap_test,dc=something,dc=something,dc=something cn: ldap_test FTPDownloadBandwidth: 20 FTPDownloadRatio: 5 FTPQuotaFiles: 50 FTPQuotaMBytes: 20 FTPStatus: enable FTPUploadBandwidth: 50 FTPUploadRatio: 1 gecos: ldap_test homeDirectory: /home/ldap/ldap_test loginShell: /bin/sh mail: ldap_test@something.something objectClass: inetOrgPerson objectClass: person objectClass: posixAccount objectClass: PureFTPdUser objectClass: radiusprofile objectClass: shadowAccount objectClass: top ou: users radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 2 radiusTunnelType: VLAN sn: ldap_test uidNumber: 1003 uid: ldap_test gidNumber: 1000 userPassword:: XXXXXX # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E96265.7050808>