Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Apr 2009 15:17:37 +0300
From:      Panos <panosx13@gmail.com>
To:        Emiel van de Laar <emiel@vandelaar.name>
Cc:        Benjamin Lee <ben@b1c1l1.com>, freebsd-questions@FreeBSD.org
Subject:   Re: PAM-SSH-LDAP problem
Message-ID:  <49E9C4E1.6030908@gmail.com>
In-Reply-To: <49E96265.7050808@gmail.com>
References:  <49E8EEF9.5090801@gmail.com> <A801857E-A18F-461C-95EB-6A6149AFE731@vandelaar.name> <49E96265.7050808@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I think I found what is the problem but I don't kow how to fix it.
from the error messages err=49 means that the password is wrong.
I'm sure that I type it correctly.
So I captured traffic using whireshark

when the manager tires toy bind everything is normal and the bind is 
succeful. In the field authentication simple of the packet the password 
was the correct
but when ldap_test tries to bind the password that it send to ldap 
server is INCORECT (0000   08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54   the 
hex field), so ldap server returns invalid credentials.

I think that this is the problem but I don't have a clue how to solve it.
I can't understand why it sends an incorect password, and most important 
which of ssh, pam, pam_ldap has the problem.

Any ideas?


O/H Panos έγραψε:
> O/H Emiel van de Laar έγραψε:
>>
>> On Apr 17, 2009, at 11:04 PM, Panos wrote:
>>
>>> hello I'm trying to setup an ldap for authenticating users.
>>> I think that the ldap server is ok
>>> but ssh gives me an error PAM authntication error illigal user XXX 
>>> from XXX.XXX.XXX.XXX
>>> I think that something is wrong when pam-ldap is quering tο ldap.
>>> Fisrt I thounght that was acl problem so I tried something like this 
>>> access * by * write
>>> full access to alla but nothing.
>>> When I'm using phpldadmin to connet to ldap I have no problem,
>>
>> [snip]
>>
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 ACCEPT from 
>>> IP=127.0.0.1:51667 (IP=0.0.0.0:389)
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
>>> dn="cn=manager,dc=something,dc=something,dc=something" method=128
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 BIND 
>>> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE 
>>> ssf=0
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=0 RESULT tag=97 err=0 
>>> text=
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SRCH 
>>> base="ou=users,dc=something,dc=something,dc=something" scope=2 
>>> deref=0 filter="(&(?objectClass=possixAccount)(uid=ldap_test))"
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 op=1 SEARCH RESULT 
>>> tag=101 err=0 nentries=0 text=value does not conform to assertion 
>>> syntax
>>> Apr 18 00:01:05 FreeBSD slapd[1336]: conn=0 fd=11 closed (connection 
>>> lost)
>>
>> I suggest you have a look at the LDAP filter.
>>
>> The log above shows:
>>
>> (&(?objectClass=possixAccount)(uid=ldap_test))
>>
>> While I expect something like:
>>
>> (&(objectClass=possixAccount)(uid=ldap_test))
>>
>> i.e. remove the '?'.
>>
>> Regards,
>>
>>  - Emiel
>
> I know, I found strange this filter but in my ldpa.conf this is the 
> filter line.
> pam_filter objectclass=possixAccount
> So no ? should be in the filter
> i tried without
> pam_filter objectclass=possixAccount
> and the only difference in the logs is instead of
> (&(?objectClass=possixAccount)(uid=ldap_test))
> I  get (uid=ldap_test) but still I can't log in.
> then I tried with filter shadowAccount
> and here is the output
> It says that is not indexed why?
>
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 ACCEPT from 
> IP=127.0.0.1:49379 (IP=0.0.0.0:389)
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" method=128
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=0 RESULT tag=97 err=0 text=
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SRCH 
> base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
> filter="(&(objectClass=shadowAccount)(uid=ldap_test))"
> Apr 18 07:54:13 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
> not indexed
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND anonymous 
> mech=implicit ssf=0
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 BIND 
> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" 
> method=128
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=2 RESULT tag=97 err=49 
> text=
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" method=128
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 op=3 RESULT tag=97 err=0 text=
> Apr 18 07:54:13 FreeBSD slapd[593]: conn=7 fd=11 closed (connection lost)
>
> then I tried with this filter
>
> pam_filter objectclass=*
> again the same error
>
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 ACCEPT from 
> IP=127.0.0.1:58165 (IP=0.0.0.0:389)
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" method=128
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=0 RESULT tag=97 err=0 
> text=
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SRCH 
> base="ou=users,dc=something,dc=something,dc=something" scope=2 deref=0 
> filter="(&(objectClass=*)(uid=ldap_test))"
> Apr 18 08:07:28 FreeBSD slapd[593]: <= bdb_equality_candidates: (uid) 
> not indexed
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=1 SEARCH RESULT tag=101 
> err=0 nentries=1 text=
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND anonymous 
> mech=implicit ssf=0
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 BIND 
> dn="cn=ldap_test,ou=users,dc=something,dc=something,dc=something" 
> method=128
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=2 RESULT tag=97 err=49 
> text=
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" method=128
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 BIND 
> dn="cn=manager,dc=something,dc=something,dc=something" mech=SIMPLE ssf=0
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 op=3 RESULT tag=97 err=0 
> text=
> Apr 18 08:07:28 FreeBSD slapd[593]: conn=13 fd=11 closed (connection 
> lost)
>
>
> the strange thing is that the ldapsearch command gives me this:
>
> ldapsearch -x -b 'ou=users,dc=something,dc=something,dc=something' 
> '(&(objectClass=*)(uid=ldap_test))'
>
>
> # extended LDIF
> #
> # LDAPv3
> # base <ou=users,dc=something,dc=something,dc=something> with scope 
> subtree
> # filter: (&(objectClass=*)(uid=ldap_test))
> # requesting: ALL
> #
>
> dn: cn=ldap_test,dc=something,dc=something,dc=something
> cn: ldap_test
> FTPDownloadBandwidth: 20
> FTPDownloadRatio: 5
> FTPQuotaFiles: 50
> FTPQuotaMBytes: 20
> FTPStatus: enable
> FTPUploadBandwidth: 50
> FTPUploadRatio: 1
> gecos: ldap_test
> homeDirectory: /home/ldap/ldap_test
> loginShell: /bin/sh
> mail: ldap_test@something.something
> objectClass: inetOrgPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: PureFTPdUser
> objectClass: radiusprofile
> objectClass: shadowAccount
> objectClass: top
> ou: users
> radiusTunnelMediumType: IEEE-802
> radiusTunnelPrivateGroupId: 2
> radiusTunnelType: VLAN
> sn: ldap_test
> uidNumber: 1003
> uid: ldap_test
> gidNumber: 1000
> userPassword:: XXXXXX
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E9C4E1.6030908>