Re: PAM-SSH-LDAP problem

Sat, 18 Apr 2009 05:43:43 -0700 

I think I found what is the problem but I don't kow how to fix it.
from the error messages err=49 means that the password is wrong.
I'm sure that I type it correctly.
So I captured traffic using whireshark
when the manager tires toy bind everything is normal and the bind is succeful. In the field authentication simple of the packet the password was the correct but when ldap_test tries to bind the password that it send to ldap server is INCORECT (0000 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 the hex field), so ldap server returns invalid credentials. 

I think that this is the problem but I don't have a clue how to solve it.
I can't understand why it sends an incorect password, and most important which of ssh, pam, pam_ldap has the problem. 

Any ideas?


O/H Panos έγραψε:

O/H Emiel van de Laar έγραψε:


On Apr 17, 2009, at 11:04 PM, Panos wrote:


hello I'm trying to setup an ldap for authenticating users.
I think that the ldap server is ok
but ssh gives me an error PAM authntication error illigal user XXX from XXX.XXX.XXX.XXX 
I think that something is wrong when pam-ldap is quering tο ldap.
Fisrt I thounght that was acl problem so I tried something like this access * by * write 
full access to alla but nothing.
When I'm using phpldadmin to connet to ldap I have no problem,


[snip]
Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:51667 (IP=0.0.0.0:389) Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 text= Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=value does not conform to assertion syntax Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection lost) 

I suggest you have a look at the LDAP filter.

The log above shows:

(&(?objectClass=possixAccount)(uid=ldap_test))

While I expect something like:

(&(objectClass=possixAccount)(uid=ldap_test))

i.e. remove the '?'.

Regards,

 - Emiel
I know, I found strange this filter but in my ldpa.conf this is the filter line. 
pam_filter objectclass=possixAccount
So no ? should be in the filter
i tried without
pam_filter objectclass=possixAccount
and the only difference in the logs is instead of
(&(?objectClass=possixAccount)(uid=ldap_test))
I  get (uid=ldap_test) but still I can't log in.
then I tried with filter shadowAccount
and here is the output
It says that is not indexed why?
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from IP=127.0.0.1:49379 (IP=0.0.0.0:389) Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text= Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost)

then I tried with this filter

pam_filter objectclass=*
again the same error
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from IP=127.0.0.1:58165 (IP=0.0.0.0:389) Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 filter="(&(objectClass=*)(uid=ldap_test))" Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) not indexed Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous mech=implicit ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" method=128 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text= Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection lost) 


the strange thing is that the ldapsearch command gives me this:
ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' '(&(objectClass=*)(uid=ldap_test))' 


# extended LDIF
#
# LDAPv3
# base <ou=users,dc=something,dc=something,dc=something> with scope subtree 
# filter: (&(objectClass=*)(uid=ldap_test))
# requesting: ALL
#

dn: cn=ldap_test,dc=something,dc=something,dc=something
cn: ldap_test
FTPDownloadBandwidth: 20
FTPDownloadRatio: 5
FTPQuotaFiles: 50
FTPQuotaMBytes: 20
FTPStatus: enable
FTPUploadBandwidth: 50
FTPUploadRatio: 1
gecos: ldap_test
homeDirectory: /home/ldap/ldap_test
loginShell: /bin/sh
mail: ldap_t...@something.something
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: PureFTPdUser
objectClass: radiusprofile
objectClass: shadowAccount
objectClass: top
ou: users
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 2
radiusTunnelType: VLAN
sn: ldap_test
uidNumber: 1003
uid: ldap_test
gidNumber: 1000
userPassword:: XXXXXX

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to