From owner-freebsd-questions@FreeBSD.ORG Thu Apr 23 14:55:01 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A40061065679 for ; Thu, 23 Apr 2009 14:55:01 +0000 (UTC) (envelope-from panosx13@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 2E7DA8FC17 for ; Thu, 23 Apr 2009 14:55:00 +0000 (UTC) (envelope-from panosx13@gmail.com) Received: by ewy19 with SMTP id 19so541472ewy.43 for ; Thu, 23 Apr 2009 07:55:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=hETyHhUrN737XA6wdorrwnztvBVWdWnpS0SPLAonnwc=; b=IxhR/GVrEe6nmbxyiP2UeSlrRMYrixh+jt+O5Xs3stpc3GZ9PiXR0WXHxiUhn1gH1d dC6WfzBf/StUDdNuQVUwlNI9qODYqqJWVCHfo+0WDvaPEMDzcyQSn+yPLdxith8S63ol KfqtcXiQy1AeMZFvUhv9nOgLOhFuBgpFu3Lwo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=qbNveN2zjQXRa+gL0KWgXbOPykZ4/5XlE1V/TN1Qlh7YyeHYxe3tTmibwAs/5kQIIT LIW7Tb87IYgW85qnxKw3TKlyUp2uiUa9Q0769ju2RoVBkkxvK7ONuZEvEqdcZuEmlQGo /gXhsTNqmzI3HWQpMz666JRG/7k6TgEv/K10I= Received: by 10.210.86.10 with SMTP id j10mr111688ebb.0.1240498500301; Thu, 23 Apr 2009 07:55:00 -0700 (PDT) Received: from ?192.168.2.3? (athedsl-287253.home.otenet.gr [85.73.169.179]) by mx.google.com with ESMTPS id 7sm178025eyb.25.2009.04.23.07.54.59 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 23 Apr 2009 07:55:00 -0700 (PDT) Message-ID: <49F0813C.1050301@gmail.com> Date: Thu, 23 Apr 2009 17:54:52 +0300 From: Panos User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Emiel van de Laar References: <49E8EEF9.5090801@gmail.com> <49E96265.7050808@gmail.com> <49E9C4E1.6030908@gmail.com> In-Reply-To: <49E9C4E1.6030908@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: Benjamin Lee , freebsd-questions@FreeBSD.org Subject: Re: PAM-SSH-LDAP problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Apr 2009 14:55:02 -0000 Anyone????? O/H Panos έγραψε: > I think I found what is the problem but I don't kow how to fix it. > from the error messages err=49 means that the password is wrong. > I'm sure that I type it correctly. > So I captured traffic using whireshark > > when the manager tires toy bind everything is normal and the bind is > succeful. In the field authentication simple of the packet the > password was the correct > but when ldap_test tries to bind the password that it send to ldap > server is INCORECT (0000 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 > the hex field), so ldap server returns invalid credentials. > > I think that this is the problem but I don't have a clue how to solve it. > I can't understand why it sends an incorect password, and most > important which of ssh, pam, pam_ldap has the problem. > > Any ideas? > > > O/H Panos έγραψε: >> O/H Emiel van de Laar έγραψε: >>> >>> On Apr 17, 2009, at 11:04 PM, Panos wrote: >>> >>>> hello I'm trying to setup an ldap for authenticating users. >>>> I think that the ldap server is ok >>>> but ssh gives me an error PAM authntication error illigal user XXX >>>> from XXX.XXX.XXX.XXX >>>> I think that something is wrong when pam-ldap is quering tο ldap. >>>> Fisrt I thounght that was acl problem so I tried something like >>>> this access * by * write >>>> full access to alla but nothing. >>>> When I'm using phpldadmin to connet to ldap I have no problem, >>> >>> [snip] >>> >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from >>>> IP=127.0.0.1:51667 (IP=0.0.0.0:389) >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >>>> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND >>>> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE >>>> ssf=0 >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 >>>> err=0 text= >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH >>>> base="ou=users,dc=something,dc=something,dc=something" scope=2 >>>> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))" >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT >>>> tag=101 err=0 nentries=0 text=value does not conform to assertion >>>> syntax >>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed >>>> (connection lost) >>> >>> I suggest you have a look at the LDAP filter. >>> >>> The log above shows: >>> >>> (&(?objectClass=possixAccount)(uid=ldap_test)) >>> >>> While I expect something like: >>> >>> (&(objectClass=possixAccount)(uid=ldap_test)) >>> >>> i.e. remove the '?'. >>> >>> Regards, >>> >>> - Emiel >> >> I know, I found strange this filter but in my ldpa.conf this is the >> filter line. >> pam_filter objectclass=possixAccount >> So no ? should be in the filter >> i tried without >> pam_filter objectclass=possixAccount >> and the only difference in the logs is instead of >> (&(?objectClass=possixAccount)(uid=ldap_test)) >> I get (uid=ldap_test) but still I can't log in. >> then I tried with filter shadowAccount >> and here is the output >> It says that is not indexed why? >> >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from >> IP=127.0.0.1:49379 (IP=0.0.0.0:389) >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH >> base="ou=users,dc=something,dc=something,dc=something" scope=2 >> deref=0 filter="(&(objectClass=shadowAccount)(uid=ldap_test))" >> Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) >> not indexed >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 >> err=0 nentries=1 text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous >> mech=implicit ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND >> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" >> method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 >> text= >> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection >> lost) >> >> then I tried with this filter >> >> pam_filter objectclass=* >> again the same error >> >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from >> IP=127.0.0.1:58165 (IP=0.0.0.0:389) >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH >> base="ou=users,dc=something,dc=something,dc=something" scope=2 >> deref=0 filter="(&(objectClass=*)(uid=ldap_test))" >> Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) >> not indexed >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT >> tag=101 err=0 nentries=1 text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous >> mech=implicit ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND >> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" >> method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" method=128 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND >> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0 >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 >> text= >> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection >> lost) >> >> >> the strange thing is that the ldapsearch command gives me this: >> >> ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' >> '(&(objectClass=*)(uid=ldap_test))' >> >> >> # extended LDIF >> # >> # LDAPv3 >> # base with scope >> subtree >> # filter: (&(objectClass=*)(uid=ldap_test)) >> # requesting: ALL >> # >> >> dn: cn=ldap_test,dc=something,dc=something,dc=something >> cn: ldap_test >> FTPDownloadBandwidth: 20 >> FTPDownloadRatio: 5 >> FTPQuotaFiles: 50 >> FTPQuotaMBytes: 20 >> FTPStatus: enable >> FTPUploadBandwidth: 50 >> FTPUploadRatio: 1 >> gecos: ldap_test >> homeDirectory: /home/ldap/ldap_test >> loginShell: /bin/sh >> mail: ldap_test@something.something >> objectClass: inetOrgPerson >> objectClass: person >> objectClass: posixAccount >> objectClass: PureFTPdUser >> objectClass: radiusprofile >> objectClass: shadowAccount >> objectClass: top >> ou: users >> radiusTunnelMediumType: IEEE-802 >> radiusTunnelPrivateGroupId: 2 >> radiusTunnelType: VLAN >> sn: ldap_test >> uidNumber: 1003 >> uid: ldap_test >> gidNumber: 1000 >> userPassword:: XXXXXX >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >