Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Jul 2007 20:14:25 +0200
From:      Eric Masson <emss@free.fr>
To:        Mailing List FreeBSD Questions <freebsd-questions@FreeBSD.org>
Subject:   pam_ldap issues
Message-ID:  <86sl85tkvy.fsf@srvbsdnanssv.interne.kisoft-services.com>

Next in thread | Raw E-Mail | Index | Archive | Help
--=-=-=
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit

Hello,

I'm trying to setup authentication via a ldap directory on a 6.2-p5 box.
id queries regarding a ldap defined user using root or a local defined
user work fine :

admin@box:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

root@box:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)

testuser can't log on the box (authentication failed). The following
message pops on the console :
Jul  3 19:08:03 box login: pam_ldap: error trying to bind as user "cn=testuser,ou=people,dc=interne,dc=example,dc=org" (Invalid credentials)

Openldap logs an error 49 (see attached file).

It seems that nss works but not pam.

ldap related configuration follows :

</usr/local/etc/ldap.conf>
base dc=interne,dc=example,dc=org
uri ldap://127.0.0.1:389/

logdir /var/log/ldap
#debug 256

timeout 5
bind_timeout 5
bind_policy soft

rootbinddn cn=Manager,dc=interne,dc=example,dc=org

nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
</usr/local/etc/ldap.conf>

</usr/local/etc/openldap/slapd.conf>
include		/usr/local/etc/openldap/schema/core.schema
include		/usr/local/etc/openldap/schema/cosine.schema
include		/usr/local/etc/openldap/schema/inetorgperson.schema
include		/usr/local/etc/openldap/schema/nis.schema
include		/usr/local/etc/openldap/schema/samba.schema

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

modulepath	/usr/local/libexec/openldap
moduleload	back_bdb

access to dn.base=""
		by self write
		by * auth

access to attrs=userPassword
		by self write
		by * auth

access to attrs=shadowLastChange
		by self write
		by * auth

access to *
		by * read
		by anonymous auth

schemacheck	on
idletimeout	30
backend		bdb
database	bdb

suffix		"dc=interne, dc=example, dc=org"
rootdn		"cn=Manager, dc=interne, dc=example, dc=org"

rootpw		password

checkpoint	1024 5
cachesize	10000

directory	/var/db/openldap-data

# Indices to maintain
index	objectClass		eq
index	cn			pres,sub,eq
index	sn			pres,sub,eq
index	uid			pres,sub,eq
index	displayName		pres,sub,eq
index	uidNumber		eq
index	gidNumber		eq
index	memberUID		eq
index	sambaSID		eq
index	sambaPrimaryGroupSID	eq
index	sambaDomainName		eq
index	default			sub
</usr/local/etc/openldap/slapd.conf>

</etc/pam.d/system>
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok

# account
#account 	required	pam_krb5.so
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session 	optional	pam_ssh.so
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	required	pam_unix.so		no_warn try_first_pass
</etc/pam.d/system>

</etc/nsswitch.conf>
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
</etc/nsswitch.conf>

Directory has been initialized with the following ldif file

<init.ldif>
dn: dc=interne,dc=example,dc=org
dc: interne
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: interne.example.fr
structuralObjectClass: domain

dn: ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit

dn: ou=people,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit

dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org
cn: testuser
sn: Dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
userPassword: testuser
uidNumber: 2000
gidNumber: 2000
gecos: Test User
loginShell: /bin/csh
homeDirectory: /home/test
structuralObjectClass: person

dn: cn=test,ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: test
gidNumber: 2000
memberUid: test
structuralObjectClass: posixGroup
<init.ldif>

This is driving me nuts.

Has anyone an idea ?

TIA

Regards

-- 
 JMM> (padfonetik) sauf erreur de ma part, nous ne sommes pas sur IRC
 j'ai ma fiancée qui veut que j'évite d'écrire sur l'ordi alors je le
 fais en cachette ou en tous cas le plus rapidement possible
 -+- JC in www.le-gnu.net : Trop au lit pour être au net -+-

--=-=-=
Content-Disposition: attachment; filename=ldap.log

Jul  3 19:01:00 box slapd[1414]: slapd starting
Jul  3 19:01:05 box slapd[1414]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:50293 (IP=0.0.0.0:389)
Jul  3 19:01:05 box slapd[1414]: conn=0 op=0 BIND dn="" method=128
Jul  3 19:01:05 box slapd[1414]: conn=0 op=0 RESULT tag=97 err=0 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul  3 19:01:05 box slapd[1414]: conn=0 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 fd=14 ACCEPT from IP=127.0.0.1:62723 (IP=0.0.0.0:389)
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=0 RESULT tag=97 err=0 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(uid=testuser)"
Jul  3 19:01:05 box slapd[1414]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND anonymous mech=implicit ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:05 box slapd[1414]: conn=1 op=2 RESULT tag=97 err=0 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 BIND anonymous mech=implicit ssf=0
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 BIND dn="cn=testuser,ou=people,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:06 box slapd[1414]: conn=1 op=3 RESULT tag=97 err=49 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul  3 19:01:06 box slapd[1414]: conn=1 op=4 RESULT tag=97 err=0 text=
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul  3 19:01:06 box slapd[1414]: conn=0 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 19:01:06 box slapd[1414]: conn=1 op=5 UNBIND
Jul  3 19:01:06 box slapd[1414]: conn=1 fd=14 closed
Jul  3 19:01:44 box slapd[1414]: conn=0 fd=11 closed (idletimeout)

--=-=-=--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?86sl85tkvy.fsf>