[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Authentication failures, UPDATE
Changed out debugging in my LDAP server and seeing some "fun stuff".
I can see the LDAP client hitting my server and starting to search. It
hits the first record (my manager, above me in the tree) and goes from
there:
Aug 30 09:20:37 ghost slapd[10947]: conn=7 fd=11 connection from
ghost.lsv.raindance.com (127.0.0.1) accepted.
Aug 30 09:20:37 ghost slapd[10974]: conn=7 op=0 BIND dn="" method=128
Aug 30 09:20:37 ghost slapd[10974]: conn=7 op=0 RESULT err=0 tag=97
nentries=0
Aug 30 09:20:37 ghost slapd[10975]: begin get_filter
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY
Aug 30 09:20:37 ghost slapd[10975]: end get_filter 0
Aug 30 09:20:37 ghost slapd[10975]: conn=7 op=1 SRCH
base="DC=RAINDANCE,DC=COM" scope=2 filter="(uid=RHARRIS)"
Aug 30 09:20:37 ghost slapd[10975]: ^IOR
Aug 30 09:20:37 ghost slapd[10975]: ^IEQUALITY
Aug 30 09:20:37 ghost slapd[10975]: ^IEQUALITY
Aug 30 09:20:37 ghost slapd[10975]: => test_filter
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: entry
(dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: => acl_get: entry (dc=raindance,dc=com)
attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl
dc=raindance,dc=com attr: uid
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
entry "dc=raindance,dc=com"
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
value "RHARRIS" by ""
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by)
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: exit
(dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter -1
Aug 30 09:20:37 ghost slapd[10975]: => test_filter
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: entry (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: => acl_get: entry (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Steve A
Calderoni, dc=raindance,dc=com attr: uid
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
entry "cn=Steve A Calderoni, dc=raindance,dc=com"
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
value "RHARRIS" by ""
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by)
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: exit (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter 1
Aug 30 09:20:37 ghost slapd[10975]: => test_filter
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: entry (cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: => acl_get: entry (cn=Robert L Harris,
cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com attr: uid
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
entry "cn=Robert L Harris, cn=Steve A Calderoni, dc=raindance,dc=com"
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: search access to
value "RHARRIS" by ""
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by)
Aug 30 09:20:37 ghost slapd[10975]: => access_allowed: exit (cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid)
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter 0
.
.
.
At this point it goes through every attribute in my entry
.
.
.
Aug 30 09:20:37 ghost slapd[10975]: => acl_get: entry (cn=Robert L Harris,
cn=Steve A Calderoni, dc=raindance,dc=com) attr (sn)
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com attr: sn
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: read access to
entry "cn=Robert L Harris, cn=Steve A Calderoni, dc=raindance,dc=com"
Aug 30 09:20:37 ghost slapd[10975]: => acl_access_allowed: read access to
value "any" by ""
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by)
Aug 30 09:20:37 ghost slapd[10975]: => test_filter
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY
Aug 30 09:20:37 ghost slapd[10975]: conn=7 op=1 RESULT err=0 tag=101
nentries=1
Aug 30 09:20:37 ghost slapd[10976]: conn=7 op=2 UNBIND
Aug 30 09:20:37 ghost slapd[10976]: conn=7 op=2 fd=11 closed errno=0
Aug 30 09:20:39 ghost slapd[10947]: conn=4 op=-1 fd=7 closed errno=0
My console gives me Login incorrect and back to login prompt...
Help?
>
> Trying to ssh to a box. The box should be hitting my ldap server for
> authentication but I keep getting this in my logfile:
>
> Aug 29 15:43:11 spirit sshd[4247]: Faking authloop for
> illegal user rharris
> from 10.10.117.230 port 34120
>
> I get this before I even enter a password. I have this at
> the end of my
> /etc/pam.d/login:
>
> #
> # Lets see if we can get pam working
> #
> auth sufficient /lib/security/pam_ldap.so
> account sufficient /lib/security/pam_ldap.so
> password sufficient /lib/security/pam_ldap.so
>
> I've modified the /etc/nsswitch.conf to say:
>
> passwd: compat LDAP
> group: compat LDAP
> shadow: compat LDAP
>
> (also tried lowercase).
>
> I've put my server and DN in /etc/libnss-ldap.conf and
> /etc/pam_ldap.conf.
>
> Thoughts?
>