pam_ldap issues

Eric Masson Tue, 03 Jul 2007 11:45:55 -0700

Hello,

I'm trying to setup authentication via a ldap directory on a 6.2-p5 box.
id queries regarding a ldap defined user using root or a local defined
user work fine :


[EMAIL PROTECTED]:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

[EMAIL PROTECTED]:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

testuser can't log on the box (authentication failed). The following
message pops on the console :
Jul  3 19:08:03 box login: pam_ldap: error trying to bind as user 
"cn=testuser,ou=people,dc=interne,dc=example,dc=org" (Invalid credentials)

Openldap logs an error 49 (see attached file).

It seems that nss works but not pam.

ldap related configuration follows :

</usr/local/etc/ldap.conf>
base dc=interne,dc=example,dc=org
uri ldap://127.0.0.1:389/

logdir /var/log/ldap
#debug 256

timeout 5
bind_timeout 5
bind_policy soft

rootbinddn cn=Manager,dc=interne,dc=example,dc=org

nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
</usr/local/etc/ldap.conf>

</usr/local/etc/openldap/slapd.conf>
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/local/libexec/openldap
moduleload      back_bdb

access to dn.base=""
                by self write
                by * auth

access to attrs=userPassword
                by self write
                by * auth

access to attrs=shadowLastChange
                by self write
                by * auth

access to *
                by * read
                by anonymous auth

schemacheck     on
idletimeout     30
backend         bdb
database        bdb

suffix          "dc=interne, dc=example, dc=org"
rootdn          "cn=Manager, dc=interne, dc=example, dc=org"

rootpw          password

checkpoint      1024 5
cachesize       10000

directory       /var/db/openldap-data

# Indices to maintain
index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   uidNumber               eq
index   gidNumber               eq
index   memberUID               eq
index   sambaSID                eq
index   sambaPrimaryGroupSID    eq
index   sambaDomainName         eq
index   default                 sub
</usr/local/etc/openldap/slapd.conf>

</etc/pam.d/system>
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      /usr/local/lib/pam_ldap.so      no_warn 
try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass 
nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
</etc/pam.d/system>

</etc/nsswitch.conf>
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
</etc/nsswitch.conf>

Directory has been initialized with the following ldif file

<init.ldif>
dn: dc=interne,dc=example,dc=org
dc: interne
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: interne.example.fr
structuralObjectClass: domain

dn: ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit

dn: ou=people,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit

dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org
cn: testuser
sn: Dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
userPassword: testuser
uidNumber: 2000
gidNumber: 2000
gecos: Test User
loginShell: /bin/csh
homeDirectory: /home/test
structuralObjectClass: person

dn: cn=test,ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: test
gidNumber: 2000
memberUid: test
structuralObjectClass: posixGroup
<init.ldif>

This is driving me nuts.

Has anyone an idea ?

TIA

Regards

-- 
 JMM> (padfonetik) sauf erreur de ma part, nous ne sommes pas sur IRC
 j'ai ma fiancée qui veut que j'évite d'écrire sur l'ordi alors je le
 fais en cachette ou en tous cas le plus rapidement possible
 -+- JC in www.le-gnu.net : Trop au lit pour être au net -+-

Jul  3 19:01:00 box slapd[1414]: slapd starting
Jul  3 19:01:05 box slapd[1414]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:50293 
(IP=0.0.0.0:389)
Jul  3 19:01:05 box slapd[1414]: conn=0 op=0 BIND dn="" method=128
Jul  3 19:01:05 box slapd[1414]: conn=0 op=0 RESULT tag=97 err=0 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH 
base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH 
base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH 
base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 fd=14 ACCEPT from IP=127.0.0.1:62723 
(IP=0.0.0.0:389)
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 RESULT tag=97 err=0 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 op=1 SRCH 
base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 
filter="(uid=testuser)"
Jul  3 19:01:05 box slapd[1414]: conn=1 op=1 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND anonymous mech=implicit ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 RESULT tag=97 err=0 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 BIND anonymous mech=implicit ssf=0
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 BIND 
dn="cn=testuser,ou=people,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 RESULT tag=97 err=49 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 BIND 
dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 RESULT tag=97 err=0 text=
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH 
base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 
filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH attr=uid userPassword 
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass 
shadowLastChange shadowMax shadowExpire
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=5 UNBIND
Jul  3 19:01:06 box slapd[1414]: conn=1 fd=14 closed
Jul  3 19:01:44 box slapd[1414]: conn=0 fd=11 closed (idletimeout)

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

pam_ldap issues

Reply via email to