Re: PAM-SSH-LDAP problem

Sat, 18 Apr 2009 05:04:42 -0700 

O/H Emiel van de Laar έγραψε:


On Apr 17, 2009, at 11:04 PM, Panos wrote:


hello I'm trying to setup an ldap for authenticating users.
I think that the ldap server is ok

but ssh gives me an error PAM authntication error illigal user XXX 
from XXX.XXX.XXX.XXX

I think that something is wrong when pam-ldap is quering tο ldap.

Fisrt I thounght that was acl problem so I tried something like this 
access * by * write

full access to alla but nothing.
When I'm using phpldadmin to connet to ldap I have no problem,


[snip]


Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from 
IP=127.0.0.1:51667 (IP=0.0.0.0:389)
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 
text=
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 
deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))"
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=value does not conform to assertion syntax
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection 
lost)


I suggest you have a look at the LDAP filter.

The log above shows:

(&(?objectClass=possixAccount)(uid=ldap_test))

While I expect something like:

(&(objectClass=possixAccount)(uid=ldap_test))

i.e. remove the '?'.

Regards,

 - Emiel



I know, I found strange this filter but in my ldpa.conf this is the 
filter line.

pam_filter objectclass=possixAccount
So no ? should be in the filter
i tried without
pam_filter objectclass=possixAccount
and the only difference in the logs is instead of
(&(?objectClass=possixAccount)(uid=ldap_test))
I  get (uid=ldap_test) but still I can't log in.
then I tried with filter shadowAccount
and here is the output
It says that is not indexed why?


Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from 
IP=127.0.0.1:49379 (IP=0.0.0.0:389)
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text=

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
filter="(&(objectClass=shadowAccount)(uid=ldap_test))"
Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
not indexed
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous 
mech=implicit ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND 
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text=

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0

Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost)

then I tried with this filter

pam_filter objectclass=*
again the same error


Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from 
IP=127.0.0.1:58165 (IP=0.0.0.0:389)
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text=

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH 
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
filter="(&(objectClass=*)(uid=ldap_test))"
Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
not indexed
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous 
mech=implicit ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND 
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text=

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0

Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection lost)


the strange thing is that the ldapsearch command gives me this:


ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' 
'(&(objectClass=*)(uid=ldap_test))'



# extended LDIF
#
# LDAPv3
# base <ou=users,dc=something,dc=something,dc=something> with scope subtree
# filter: (&(objectClass=*)(uid=ldap_test))
# requesting: ALL
#

dn: cn=ldap_test,dc=something,dc=something,dc=something
cn: ldap_test
FTPDownloadBandwidth: 20
FTPDownloadRatio: 5
FTPQuotaFiles: 50
FTPQuotaMBytes: 20
FTPStatus: enable
FTPUploadBandwidth: 50
FTPUploadRatio: 1
gecos: ldap_test
homeDirectory: /home/ldap/ldap_test
loginShell: /bin/sh
mail: ldap_t...@something.something
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: PureFTPdUser
objectClass: radiusprofile
objectClass: shadowAccount
objectClass: top
ou: users
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 2
radiusTunnelType: VLAN
sn: ldap_test
uidNumber: 1003
uid: ldap_test
gidNumber: 1000
userPassword:: XXXXXX

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"






















					Reply via email to