[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authentication failures, UPDATE



Changed out debugging in my LDAP server and seeing some "fun stuff".
I can see the LDAP client hitting my server and starting to search.  It
hits the first record (my manager, above me in the tree) and goes from
there:

Aug 30 09:20:37 ghost slapd[10947]: conn=7 fd=11 connection from
ghost.lsv.raindance.com (127.0.0.1) accepted. 
Aug 30 09:20:37 ghost slapd[10974]: conn=7 op=0 BIND dn="" method=128 
Aug 30 09:20:37 ghost slapd[10974]: conn=7 op=0 RESULT err=0 tag=97
nentries=0 
Aug 30 09:20:37 ghost slapd[10975]: begin get_filter 
Aug 30 09:20:37 ghost slapd[10975]: EQUALITY 
Aug 30 09:20:37 ghost slapd[10975]: end get_filter 0 
Aug 30 09:20:37 ghost slapd[10975]: conn=7 op=1 SRCH
base="DC=RAINDANCE,DC=COM" scope=2 filter="(uid=RHARRIS)" 
Aug 30 09:20:37 ghost slapd[10975]: ^IOR 
Aug 30 09:20:37 ghost slapd[10975]: ^IEQUALITY 
Aug 30 09:20:37 ghost slapd[10975]: ^IEQUALITY 
Aug 30 09:20:37 ghost slapd[10975]: => test_filter 
Aug 30 09:20:37 ghost slapd[10975]:     EQUALITY 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: entry
(dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_get: entry (dc=raindance,dc=com)
attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl
dc=raindance,dc=com attr: uid 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
entry "dc=raindance,dc=com" 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
value "RHARRIS" by "" 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by) 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: exit
(dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter -1 
Aug 30 09:20:37 ghost slapd[10975]: => test_filter 
Aug 30 09:20:37 ghost slapd[10975]:     EQUALITY 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: entry (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_get: entry (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Steve A
Calderoni, dc=raindance,dc=com attr: uid 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
entry "cn=Steve A Calderoni, dc=raindance,dc=com" 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
value "RHARRIS" by "" 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by) 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: exit (cn=Steve A
Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter 1 
Aug 30 09:20:37 ghost slapd[10975]: => test_filter 
Aug 30 09:20:37 ghost slapd[10975]:     EQUALITY 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: entry (cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_get: entry (cn=Robert L Harris,
cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com attr: uid 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
entry "cn=Robert L Harris, cn=Steve A Calderoni, dc=raindance,dc=com" 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: search access to
value "RHARRIS" by "" 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by) 
Aug 30 09:20:37 ghost slapd[10975]:  => access_allowed: exit (cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com) attr (uid) 
Aug 30 09:20:37 ghost slapd[10975]: <= test_filter 0 
.
.
.
At this point it goes through every attribute in my entry
.
.
.
Aug 30 09:20:37 ghost slapd[10975]:  => acl_get: entry (cn=Robert L Harris,
cn=Steve A Calderoni, dc=raindance,dc=com) attr (sn) 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_get: [2] backend acl cn=Robert L
Harris, cn=Steve A Calderoni, dc=raindance,dc=com attr: sn 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: read access to
entry "cn=Robert L Harris, cn=Steve A Calderoni, dc=raindance,dc=com" 
Aug 30 09:20:37 ghost slapd[10975]:  => acl_access_allowed: read access to
value "any" by "" 
Aug 30 09:20:37 ghost slapd[10975]: <= acl_access_allowed: granted by
default (no matching by) 
Aug 30 09:20:37 ghost slapd[10975]: => test_filter 
Aug 30 09:20:37 ghost slapd[10975]:     EQUALITY 
Aug 30 09:20:37 ghost slapd[10975]: conn=7 op=1 RESULT err=0 tag=101
nentries=1 
Aug 30 09:20:37 ghost slapd[10976]: conn=7 op=2 UNBIND 
Aug 30 09:20:37 ghost slapd[10976]: conn=7 op=2 fd=11 closed errno=0 
Aug 30 09:20:39 ghost slapd[10947]: conn=4 op=-1 fd=7 closed errno=0 

My console gives me Login incorrect and back to login prompt...


Help?


> 
> Trying to ssh to a box.  The box should be hitting my ldap server for
> authentication but I keep getting this in my logfile:
> 
> Aug 29 15:43:11 spirit sshd[4247]: Faking authloop for 
> illegal user rharris
> from 10.10.117.230 port 34120
> 
> I get this before I even enter a password.  I have this at 
> the end of my
> /etc/pam.d/login:
> 
> # 
> # Lets see if we can get pam working
> #
> auth    sufficient      /lib/security/pam_ldap.so             
> account sufficient      /lib/security/pam_ldap.so             
> password        sufficient      /lib/security/pam_ldap.so      
> 
> I've modified the /etc/nsswitch.conf to say:
> 
> passwd:         compat  LDAP
> group:          compat  LDAP
> shadow:         compat  LDAP
> 
> (also tried lowercase).
> 
> I've put my server and DN in /etc/libnss-ldap.conf and 
> /etc/pam_ldap.conf.  
> 
> Thoughts?
>