Date: Wed, 23 Feb 2011 21:59:23 +0200 From: Valentin Bud <valentin.bud@gmail.com> To: Tim Dunphy <bluethundr@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: openldap problems authenticating Message-ID: <AANLkTikiN01TO1%2Ba4eAjbrpgYbR24XV7MOCrmi5y6sXO@mail.gmail.com> In-Reply-To: <AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto@mail.gmail.com> References: <AANLkTim4nD2ae_xVCCx5DwPv3xK0x8HsTsAD1NQNOFto@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 23, 2011 at 12:47 AM, Tim Dunphy <bluethundr@gmail.com> wrote: > Hello list, > > I am running an openldap 2.4 server under FreeBSD that was working > well until the config was tweaked by someone on the team without > properly documenting their work > > # /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1) > > host LBSD.summitnjhome.com > base dc=summitnjhome,dc=com > sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com > binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > bindpw {SSHA}secret > scope sub > pam_password exop > nss_base_passwd ou=staff,dc=summitnjhome,dc=com > nss_base_shadow ou=staff,dc=summitnjhome,dc=com > > > # grep for ldap account shows ldap account on the ldap server itself > succeeds > > [root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs > walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash > [root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd > [root@LBSD2:/usr/local/etc/openldap] # > > > > > > # /etc/ldap.conf on ldap client (centos 5.5) > > host LBSD2.summitnjhome.com > base dc=summitnjhome,dc=com > sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com > binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > bindpw {crypt}secret > scope sub > pam_password exop > nss_base_passwd ou=staff,dc=summitnjhome,dc=com > nss_base_shadow ou=staff,dc=summitnjhome,dc=com > > # grep getent passwd for ldap account on the client nothing turns up > after a long pause > > > [root@LCENT01:~] #getent passwd | grep walbs > [root@LCENT01:~] # > > > # nsswitch on the client > > passwd: files ldap > shadow: files ldap > group: files ldap > sudoers: ldap > #hosts: db files nisplus nis dns > hosts: files dns > > > # this is what's going on in the logs on the ldap server during th > getent from the #client > > Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 > text= > Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND > Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed > Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from > IP=192.168.1.42:53811 (IP=192.168.1.44:389) > Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND > dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128 > Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 > text= > Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND > Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed > > #ldap search from the client as the pam services account is able to > locate the ldap user info > > [root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D > 'cn=pam_ldap > ,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b > 'dc=summitnjhome,dc=com' > '(uid=walbs)' > # extended LDIF > # > # LDAPv3 > # base <dc=summitnjhome,dc=com> with scope subtree > # filter: (uid=walbs) > # requesting: ALL > # > > > > # walbs, People, summitnjhome.com > dn: uid=walbs,ou=People,dc=summitnjhome,dc=com > uid: walbs > cn: Walkiria Soares > givenName: Walkiria > sn: Soares > mail: walbs@example.com > objectClass: inetLocalMailRecipient > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > uidNumber: 1002 > gidNumber: 1003 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > #pam_ldap services account in the ldap directory > > 3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com > cn: pam_ldap > objectClass: top > objectClass: inetOrgPerson > sn: PAM > userPassword: {SSHA}secret > > > I have also tried doing anonymous binds on the client as well as using > plain text passwords. I get the same tag=97 err=49 messages on the > client either way. > > Some advice is sorely needed here. Thank you very kindly in advance! > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Hello Tim, First of all: err=49 message in LDAP logs mean some kind of invalid credentials (user or password, either tls but this is not the case). After reading the mail a few times I have noticed something strange: host LBSD.summitnjhome.com <http://lbsd.summitnjhome.com/> base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com *bindpw {SSHA}secret* and on the client: host LBSD2.summitnjhome.com <http://lbsd2.summitnjhome.com/> base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com *bindpw {crypt}secret* I honestly say that I have never seen the password entry preceded by the algo used to encrypt it in ldap.conf. Anyway, logs are no liar so you should double check for user/password combination in config files. This is backed up by the fact that the direct ldapsearch from CLI works. For sure on CLI you enter the correct password. my 7c, v -- network warrior
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikiN01TO1%2Ba4eAjbrpgYbR24XV7MOCrmi5y6sXO>