Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 May 2005 17:11:03 -0500
From:      Benjamin J Doherty <bjd@pobox.com>
To:        freebsd-questions@freebsd.org
Subject:   baffled by pam_ldap
Message-ID:  <4641B75A-1B28-4319-89FB-F92BFFB57E9A@pobox.com>

next in thread | raw e-mail | index | archive | help

--Apple-Mail-2-189710561
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

Friends,

I've been struggling with pam_ldap for three days now and cannot see  
what I am doing wrong.  I'm trying to use OpenLDAP for  
authentication, though I threw nss_ldap in for good measure.  What's  
so baffling to me is that I can add a new user to the directory and  
verify its existence using "id" but SSH refuses to bind.

Here's an excerpt from my /var/log/auth.log:

May 12 16:46:28 static-host sshd[53253]: Illegal user testuser from  
192.168.1.150
May 12 16:46:28 static-host sshd[53253]: Failed none for illegal user  
testuser from 192.168.1.150 port 53074 ssh2
May 12 16:46:28 static-host sshd[53255]: pam_ldap: error trying to  
bind (Invalid credentials)

The debug log from pam_ldap says this:

ldap_create
ldap_url_parse_ext(ldapi://%2fvar%2frun%2fopenldap%2fldapi/)
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 9
ldap_connect_to_path: Trying /var/run/openldap/ldapi
ldap_connect_timeout: fd: 9 tm: 30 async: 0
ldap_ndelay_on: 9
ldap_ndelay_off: 9
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 59 bytes to sd 9
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ldap_msgfree
ldap_err2string

and the second log created at the same time says:

(identical to the previous log up to ldap_msgfree)
ber_scanf fmt ({iaa}) ber:
ldap_chase_referrals
read1msg:  V2 referral chased, mark request completed, id = 1
new result:  res_errno: 49, res_error: <>, res_matched: <>
read1msg:  0 new referrals
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string

I'm guessing that this means that I can bind with my binddn but not  
with the uid=testuser.

Meanwhile, nss_ldap seems to be working correctly, because an id on  
the same user returns:

uid=1003(testuser) gid=0(wheel) groups=0(wheel)

The nss_ldap.conf is symlinked to ldap.conf, which looks like this:

host 127.0.0.1
base dc=swyc,dc=org
uri ldapi://%2fvar%2frun%2fopenldap%2fldapi/
ldap_version 3
binddn cn=proxyuser,dc=swyc,dc=org
bindpw secret
rootbinddn cn=Manager,dc=swyc,dc=org
scope sub
timelimit 30
bind_timelimit 30
bind_policy hard
idle_timelimit 3600
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password SSHA
nss_base_passwd         ou=People,dc=swyc,dc=org?one
nss_base_group          ou=Group,dc=swyc,dc=org?one

I can run ldapsearch and get the right data back:

ldapsearch -H "ldapi://%2fvar%2frun%2fopenldap%2fldapi/" -x -W -D  
"cn=proxyuser,dc=swyc,dc=org" "(&(objectClass=posixAccount) 
(uid=testuser))"

dn: uid=testuser,ou=People,dc=swyc,dc=org
uid: testuser
cn: test user
homeDirectory: /home/testuser
uidNumber: 1003
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
gidNumber: 0
gecos: test user
shadowLastChange: 12915
sn: testuser
userPassword:: e1NTSEF9clM2c0xnR3dtSW5ybzNNUFUra0N2WFoydFZJUVZ0ZFE=
loginShell: /bin/sh

I'm a complete openldap neophyte, biting off more than I can chew for  
sure.  However, I just know that if I don't get a directory operating  
now, I'll wish I had done it later, especially since my next project  
is to get open-xchange running.  I apologize for pasting a bunch of  
logs into this message, but I've been staring at them all day.  If  
you can tell me what should have caught my attention, that would be  
very helpful!

Cheers,

benjamin doherty
chicago illinois
--Apple-Mail-2-189710561--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4641B75A-1B28-4319-89FB-F92BFFB57E9A>