PAM-SSH-LDAP problem
Panos
panosx13 at gmail.com
Sat Apr 18 05:19:02 UTC 2009
O/H Emiel van de Laar έγραψε:
>
> On Apr 17, 2009, at 11:04 PM, Panos wrote:
>
>> hello I'm trying to setup an ldap for authenticating users.
>> I think that the ldap server is ok
>> but ssh gives me an error PAM authntication error illigal user XXX
>> from XXX.XXX.XXX.XXX
>> I think that something is wrong when pam-ldap is quering tο ldap.
>> Fisrt I thounght that was acl problem so I tried something like this
>> access * by * write
>> full access to alla but nothing.
>> When I'm using phpldadmin to connet to ldap I have no problem,
>
> [snip]
>
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from
>> IP=127.0.0.1:51667 (IP=0.0.0.0:389)
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND
>> dn="cn=manager,dc=something,dc=something,dc=something" method=128
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND
>> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0
>> text=
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH
>> base="ou=users,dc=something,dc=something,dc=something" scope=2
>> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))"
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT
>> tag=101 err=0 nentries=0 text=value does not conform to assertion syntax
>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection
>> lost)
>
> I suggest you have a look at the LDAP filter.
>
> The log above shows:
>
> (&(?objectClass=possixAccount)(uid=ldap_test))
>
> While I expect something like:
>
> (&(objectClass=possixAccount)(uid=ldap_test))
>
> i.e. remove the '?'.
>
> Regards,
>
> - Emiel
I know, I found strange this filter but in my ldpa.conf this is the
filter line.
pam_filter objectclass=possixAccount
So no ? should be in the filter
i tried without
pam_filter objectclass=possixAccount
and the only difference in the logs is instead of
(&(?objectClass=possixAccount)(uid=ldap_test))
I get (uid=ldap_test) but still I can't log in.
then I tried with filter shadowAccount
and here is the output
It says that is not indexed why?
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from
IP=127.0.0.1:49379 (IP=0.0.0.0:389)
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=ldap_test))"
Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid)
not indexed
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous
mech=implicit ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text=
Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost)
then I tried with this filter
pam_filter objectclass=*
again the same error
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from
IP=127.0.0.1:58165 (IP=0.0.0.0:389)
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH
base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0
filter="(&(objectClass=*)(uid=ldap_test))"
Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid)
not indexed
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous
mech=implicit ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND
dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND
dn="cn=manager,dc=something,dc=something,dc=something" method=128
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND
dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 text=
Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection lost)
the strange thing is that the ldapsearch command gives me this:
ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something'
'(&(objectClass=*)(uid=ldap_test))'
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=something,dc=something,dc=something> with scope subtree
# filter: (&(objectClass=*)(uid=ldap_test))
# requesting: ALL
#
dn: cn=ldap_test,dc=something,dc=something,dc=something
cn: ldap_test
FTPDownloadBandwidth: 20
FTPDownloadRatio: 5
FTPQuotaFiles: 50
FTPQuotaMBytes: 20
FTPStatus: enable
FTPUploadBandwidth: 50
FTPUploadRatio: 1
gecos: ldap_test
homeDirectory: /home/ldap/ldap_test
loginShell: /bin/sh
mail: ldap_test at something.something
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: PureFTPdUser
objectClass: radiusprofile
objectClass: shadowAccount
objectClass: top
ou: users
radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 2
radiusTunnelType: VLAN
sn: ldap_test
uidNumber: 1003
uid: ldap_test
gidNumber: 1000
userPassword:: XXXXXX
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
More information about the freebsd-questions
mailing list