pam_ldap issues
Eric Masson
emss at free.fr
Tue Jul 3 18:44:39 UTC 2007
Hello,
I'm trying to setup authentication via a ldap directory on a 6.2-p5 box.
id queries regarding a ldap defined user using root or a local defined
user work fine :
admin at box:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)
root at box:~> id testuser
uid=2000(testuser) gid=2000(test) groups=2000(test)
testuser can't log on the box (authentication failed). The following
message pops on the console :
Jul 3 19:08:03 box login: pam_ldap: error trying to bind as user "cn=testuser,ou=people,dc=interne,dc=example,dc=org" (Invalid credentials)
Openldap logs an error 49 (see attached file).
It seems that nss works but not pam.
ldap related configuration follows :
</usr/local/etc/ldap.conf>
base dc=interne,dc=example,dc=org
uri ldap://127.0.0.1:389/
logdir /var/log/ldap
#debug 256
timeout 5
bind_timeout 5
bind_policy soft
rootbinddn cn=Manager,dc=interne,dc=example,dc=org
nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
</usr/local/etc/ldap.conf>
</usr/local/etc/openldap/slapd.conf>
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
access to dn.base=""
by self write
by * auth
access to attrs=userPassword
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * auth
access to *
by * read
by anonymous auth
schemacheck on
idletimeout 30
backend bdb
database bdb
suffix "dc=interne, dc=example, dc=org"
rootdn "cn=Manager, dc=interne, dc=example, dc=org"
rootpw password
checkpoint 1024 5
cachesize 10000
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
</usr/local/etc/openldap/slapd.conf>
</etc/pam.d/system>
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
</etc/pam.d/system>
</etc/nsswitch.conf>
group: files ldap
group_compat: nis
hosts: files dns
networks: files
passwd: files ldap
passwd_compat: nis
shells: files
</etc/nsswitch.conf>
Directory has been initialized with the following ldif file
<init.ldif>
dn: dc=interne,dc=example,dc=org
dc: interne
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: interne.example.fr
structuralObjectClass: domain
dn: ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
dn: ou=people,dc=interne,dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
dn: cn=testuser,ou=people,dc=interne,dc=example,dc=org
cn: testuser
sn: Dummy
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
userPassword: testuser
uidNumber: 2000
gidNumber: 2000
gecos: Test User
loginShell: /bin/csh
homeDirectory: /home/test
structuralObjectClass: person
dn: cn=test,ou=groups,dc=interne,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: test
gidNumber: 2000
memberUid: test
structuralObjectClass: posixGroup
<init.ldif>
This is driving me nuts.
Has anyone an idea ?
TIA
Regards
--
JMM> (padfonetik) sauf erreur de ma part, nous ne sommes pas sur IRC
j'ai ma fiancée qui veut que j'évite d'écrire sur l'ordi alors je le
fais en cachette ou en tous cas le plus rapidement possible
-+- JC in www.le-gnu.net : Trop au lit pour être au net -+-
-------------- next part --------------
Jul 3 19:01:00 box slapd[1414]: slapd starting
Jul 3 19:01:05 box slapd[1414]: conn=0 fd=11 ACCEPT from IP=127.0.0.1:50293 (IP=0.0.0.0:389)
Jul 3 19:01:05 box slapd[1414]: conn=0 op=0 BIND dn="" method=128
Jul 3 19:01:05 box slapd[1414]: conn=0 op=0 RESULT tag=97 err=0 text=
Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul 3 19:01:05 box slapd[1414]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul 3 19:01:05 box slapd[1414]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul 3 19:01:05 box slapd[1414]: conn=0 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 3 19:01:05 box slapd[1414]: conn=1 fd=14 ACCEPT from IP=127.0.0.1:62723 (IP=0.0.0.0:389)
Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul 3 19:01:05 box slapd[1414]: conn=1 op=0 RESULT tag=97 err=0 text=
Jul 3 19:01:05 box slapd[1414]: conn=1 op=1 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(uid=testuser)"
Jul 3 19:01:05 box slapd[1414]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND anonymous mech=implicit ssf=0
Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul 3 19:01:05 box slapd[1414]: conn=1 op=2 RESULT tag=97 err=0 text=
Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 BIND anonymous mech=implicit ssf=0
Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 BIND dn="cn=testuser,ou=people,dc=interne,dc=example,dc=org" method=128
Jul 3 19:01:06 box slapd[1414]: conn=1 op=3 RESULT tag=97 err=49 text=
Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" method=128
Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 BIND dn="cn=Manager,dc=interne,dc=example,dc=org" mech=SIMPLE ssf=0
Jul 3 19:01:06 box slapd[1414]: conn=1 op=4 RESULT tag=97 err=0 text=
Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH base="ou=People,dc=interne,dc=example,dc=org" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"
Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Jul 3 19:01:06 box slapd[1414]: conn=0 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 3 19:01:06 box slapd[1414]: conn=1 op=5 UNBIND
Jul 3 19:01:06 box slapd[1414]: conn=1 fd=14 closed
Jul 3 19:01:44 box slapd[1414]: conn=0 fd=11 closed (idletimeout)
More information about the freebsd-questions
mailing list