PAM-SSH-LDAP problem

Panos panosx13 at gmail.com
Sat Apr 18 05:51:55 UTC 2009 

O/H Benjamin Lee έγραψε:
> On 04/17/2009 02:04 PM, Panos wrote:
>   
>> hello I'm trying to setup an ldap for authenticating users.
>> I think that the ldap server is ok
>> but ssh gives me an error PAM authntication error illigal user XXX from
>> XXX.XXX.XXX.XXX
>> I think that something is wrong when pam-ldap is quering tο ldap.
>> Fisrt I thounght that was acl problem so I tried something like this
>> access * by * write
>> full access to alla but nothing.
>> When I'm using phpldadmin to connet to ldap I have no problem,
>>     
> [...]
>
> Have you enabled ldap in /etc/nsswitch.conf?
>
> You may find it helpful to read through the FreeBSD LDAP Authentication
> article[1].
>
> [1] http://www.freebsd.org/doc/en/articles/ldap-auth/index.html
>
>
>   

yes i have done this
my ldap.conf file

BASE    dc=something,dc=something,dc=something
URI     ldap://127.0.0.1
ssl start_tls
tls_cacertt /etc/certs/cert.crt

my ldapsearch wokrs fine. without TLS. using TLS (-Z)
ldap_start_tls: Connect error (-11)
but for now I think that this is not the problem, for pam I don't use 
lpads:// search but ldap so when I find out what wrong is with pam and 
ldap I'll check for the cerificates.
although
openssl s_client -port 636
gives this output

CONNECTED(00000003)
depth=0 
/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
verify error:num=18:self signed certificate
verify return:1
depth=0 
/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
verify return:1
---
Certificate chain
 0 
s:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
   
i:/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
....
-----END CERTIFICATE-----
subject=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
issuer=/C=xx/ST=xxxx/L=xxxx/O=xxxx/OU=xxxxe/CN=xxxxxxxxx/emailAddress=xxxxx at xxxxxxxxxxxxx
---
No client certificate CA names sent
---
SSL handshake has read 861 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1240044283
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---


my nsswitch.conf file

group: ldap files
group_compat: nis
hosts: files dns
networks: files
group: ldap files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

I also tried
group:  files ldap
passwd: files ldap


but still nothing

I've started and restarted nscd many times but stiil nothing.

More information about the freebsd-questions mailing list