From owner-freebsd-questions@FreeBSD.ORG Thu May 12 22:11:08 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81CD016A4CE for ; Thu, 12 May 2005 22:11:08 +0000 (GMT) Received: from orb.pobox.com (orb.pobox.com [207.8.226.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19CFB43D92 for ; Thu, 12 May 2005 22:11:08 +0000 (GMT) (envelope-from bjd@pobox.com) Received: from orb (localhost [127.0.0.1]) by orb.pobox.com (Postfix) with ESMTP id 2FEAA909; Thu, 12 May 2005 18:11:03 -0400 (EDT) Received: from [192.168.1.150] (unknown [66.158.51.100]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by orb.sasl.smtp.pobox.com (Postfix) with ESMTP id D7F2989; Thu, 12 May 2005 18:11:01 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v728) Message-Id: <4641B75A-1B28-4319-89FB-F92BFFB57E9A@pobox.com> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-2-189710561; protocol="application/pkcs7-signature" To: freebsd-questions@freebsd.org From: Benjamin J Doherty Date: Thu, 12 May 2005 17:11:03 -0500 X-Mailer: Apple Mail (2.728) X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: baffled by pam_ldap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 22:11:08 -0000 --Apple-Mail-2-189710561 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Friends, I've been struggling with pam_ldap for three days now and cannot see what I am doing wrong. I'm trying to use OpenLDAP for authentication, though I threw nss_ldap in for good measure. What's so baffling to me is that I can add a new user to the directory and verify its existence using "id" but SSH refuses to bind. Here's an excerpt from my /var/log/auth.log: May 12 16:46:28 static-host sshd[53253]: Illegal user testuser from 192.168.1.150 May 12 16:46:28 static-host sshd[53253]: Failed none for illegal user testuser from 192.168.1.150 port 53074 ssh2 May 12 16:46:28 static-host sshd[53255]: pam_ldap: error trying to bind (Invalid credentials) The debug log from pam_ldap says this: ldap_create ldap_url_parse_ext(ldapi://%2fvar%2frun%2fopenldap%2fldapi/) ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 9 ldap_connect_to_path: Trying /var/run/openldap/ldapi ldap_connect_timeout: fd: 9 tm: 30 async: 0 ldap_ndelay_on: 9 ldap_ndelay_off: 9 ldap_open_defconn: successful ldap_send_server_request ber_flush: 59 bytes to sd 9 ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL wait4msg (timeout 30 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 0 ldap_chkResponseList for msgid=1, all=0 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ldap_read: message type bind msgid 1, original id 1 ber_scanf fmt ({iaa) ber: ldap_msgfree ldap_err2string and the second log created at the same time says: (identical to the previous log up to ldap_msgfree) ber_scanf fmt ({iaa}) ber: ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 1 new result: res_errno: 49, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 49, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string I'm guessing that this means that I can bind with my binddn but not with the uid=testuser. Meanwhile, nss_ldap seems to be working correctly, because an id on the same user returns: uid=1003(testuser) gid=0(wheel) groups=0(wheel) The nss_ldap.conf is symlinked to ldap.conf, which looks like this: host 127.0.0.1 base dc=swyc,dc=org uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap_version 3 binddn cn=proxyuser,dc=swyc,dc=org bindpw secret rootbinddn cn=Manager,dc=swyc,dc=org scope sub timelimit 30 bind_timelimit 30 bind_policy hard idle_timelimit 3600 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password SSHA nss_base_passwd ou=People,dc=swyc,dc=org?one nss_base_group ou=Group,dc=swyc,dc=org?one I can run ldapsearch and get the right data back: ldapsearch -H "ldapi://%2fvar%2frun%2fopenldap%2fldapi/" -x -W -D "cn=proxyuser,dc=swyc,dc=org" "(&(objectClass=posixAccount) (uid=testuser))" dn: uid=testuser,ou=People,dc=swyc,dc=org uid: testuser cn: test user homeDirectory: /home/testuser uidNumber: 1003 objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson gidNumber: 0 gecos: test user shadowLastChange: 12915 sn: testuser userPassword:: e1NTSEF9clM2c0xnR3dtSW5ybzNNUFUra0N2WFoydFZJUVZ0ZFE= loginShell: /bin/sh I'm a complete openldap neophyte, biting off more than I can chew for sure. However, I just know that if I don't get a directory operating now, I'll wish I had done it later, especially since my next project is to get open-xchange running. I apologize for pasting a bunch of logs into this message, but I've been staring at them all day. If you can tell me what should have caught my attention, that would be very helpful! Cheers, benjamin doherty chicago illinois --Apple-Mail-2-189710561--