[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: passwd with pam_ldap and open ldap



It is me again,

sorry, it was like this:

openldap has been compiled with --enable-crypt=no (default). PADL writes that 

pam_password clear

is default, but apperantly not. 

pam_password clear 

in /etc/ldap.conf helped a lot.

Thanx a lot for your attention,

vadim tarassov.

-----Ursprüngliche Nachricht-----
Von: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch]
Gesendet: Montag, 2. September 2002 18:29
An: openldap-software@OpenLDAP.org; 'nssldap@padl.com';
'pamldap@padl.com'
Betreff: passwd with pam_ldap and open ldap


Hallo everybody,

somehow I can not manage to bring passwd to work witm pam_ldap on solaris 2.6.

I am not using tls/ssl or whatsoever, just simple authetication at the moment

here is my acl:

access to attr=userPassword by self write write by anonymous auth auth by * none
access to * by * read

that's what passwd writes me

passwd:  Changing password for c248843
Enter login(LDAP) password: 
New password: 
Re-enter new password: 
LDAP password information update failed: Unknown error

Permission denied
c248843 /tmp $ 

Here is my /etc/pam.conf

c248843 /tmp $ cat /etc/pam.conf
#ident  "@(#)pam.conf 1.19     95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
#login  auth sufficient /usr/lib/security/pam_ldap.so debug
login   auth required   /usr/lib/security/pam_unix.so.1 
login   auth required   /usr/lib/security/pam_dial_auth.so.1 

telnet  auth sufficient /usr/lib/security/pam_ldap.so 
#
# rlogin  auth sufficient /usr/lib/security/pam_ldap.so.1 use_first_pass
rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/pam_unix.so.1 
#
rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1
other   auth required   /usr/lib/security/pam_unix.so.1
#
# Account management
#
# login   account required        /usr/lib/security/pam_ldap.so
login   account required        /usr/lib/security/pam_unix.so.1 
dtlogin account required        /usr/lib/security/pam_unix.so.1 
#
other   account required        /usr/lib/security/pam_unix.so.1 
#
# Session management
#
other   session required        /usr/lib/security/pam_unix.so.1 
#
# Password management
#
# other password required       /usr/lib/security/pam_unix.so.1
other   password required /usr/lib/security/pam_ldap.so 

here is my /etc/ldap.conf

#
# ldap.conf 
# created by Vadim Tarassov (7322)
#
# Host we will look for LDAP server
# Must be resolved without LDAP!

host 127.0.0.1
port 389
uri ldap://127.0.0.1

base o=Winterthur,c=CH

pam_password exop
nss_base_passwd ou=People,o=Winterthur,c=CH?one
nss_base_shadow ou=People,o=Winterthur,c=CH?one

#binddn cn=Manager
#bindpw secret


and that's a part of the openldap log:


>>> dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>
=> ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)
<= ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=c248843,ou=People,o=Winterthur,c=ch,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=c248843,ou=people,o=winterthur,c=ch,16)=0
<<< dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>, <uid=c248843,ou=people,o=winterthur,c=ch>
do_bind: version=3 dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
conn=6 op=2 BIND dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
==> bdb_bind: dn: uid=c248843,ou=People,o=Winterthur,c=ch
bdb_dn2entry_rw("uid=c248843,ou=people,o=winterthur,c=ch")
=> bdb_dn2id_matched( "uid=c248843,ou=people,o=winterthur,c=ch" )
====> bdb_cache_find_entry_dn2id("uid=c248843,ou=people,o=winterthur,c=ch"): 15633 (1 tries)
====> bdb_cache_find_entry_id( 15633 ) "uid=c248843,ou=People,o=Winterthur,c=ch" (found) (1 tries)
=> access_allowed: auth access to "uid=c248843,ou=People,o=Winterthur,c=ch" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=c248843,ou=People,o=Winterthur,c=ch attr: userPassword
=> acl_mask: access to entry "uid=c248843,ou=People,o=Winterthur,c=ch", attr "userPassword" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager
=> string_expand: pattern:  cn=Manager
=> string_expand: expanded: cn=Manager
=> regex_matches: string:        
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
====> bdb_cache_return_entry_r( 15633 ): returned (0)
do_bind: v3 bind: "uid=c248843,ou=People,o=Winterthur,c=ch" to "uid=c248843,ou=People,o=Winterthur,c=ch"
send_ldap_result: conn=6 op=2 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=3 tag=97 err=0
ber_flush: 14 bytes to sd 12
  0000:  30 0c 02 01 03 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 03 61 07 0a  01 00 04 00 04 00         0....a........    
conn=6 op=2 RESULT tag=97 err=0 text=
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=9
  0000:  30 0c 02 01 04 60 07 02  01                        0....`...         
ldap_read: want=5, got=5
  0000:  03 04 00 80 00                                     .....             
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x00275268 ptr=0x00275268 end=0x00275274 len=12
  0000:  02 01 04 60 07 02 01 03  04 00 80 00               ...`........      
ber_get_next
do_bind
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
daemon: select: listen=7 active_threads=1 tvp=NULL
ber_dump: buf=0x00275268 ptr=0x0027526b end=0x00275274 len=9
  0000:  60 07 02 01 03 04 00 80  00                        `........         
ber_scanf fmt (m}) ber:
ber_dump: buf=0x00275268 ptr=0x00275272 end=0x00275274 len=2
  0000:  00 00                                              ..                
daemon: select: listen=8 active_threads=1 tvp=NULL
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
conn=6 op=3 BIND dn="" method=128
send_ldap_result: conn=6 op=3 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=4 tag=97 err=0
ber_flush: 14 bytes to sd 12
  0000:  30 0c 02 01 04 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 04 61 07 0a  01 00 04 00 04 00         0....a........    
conn=6 op=3 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=9
  0000:  30 3a 02 01 05 60 35 02  01                        0:...`5..         
ldap_read: want=51, got=51
  0000:  03 04 27 75 69 64 3d 63  32 34 38 38 34 33 2c 6f   ..'uid=c248843,o  
  0010:  75 3d 50 65 6f 70 6c 65  2c 6f 3d 57 69 6e 74 65   u=People,o=Winte  
  0020:  72 74 68 75 72 2c 63 3d  63 68 80 07 76 66 74 76   rthur,c=ch..vftv  
  0030:  66 74 31                                           ft1               
ber_get_next: tag 0x30 len 58 contents:
ber_dump: buf=0x0023d250 ptr=0x0023d250 end=0x0023d28a len=58
  0000:  02 01 05 60 35 02 01 03  04 27 75 69 64 3d 63 32   ...`5....'uid=c2  
  0010:  34 38 38 34 33 2c 6f 75  3d 50 65 6f 70 6c 65 2c   48843,ou=People,  
  0020:  6f 3d 57 69 6e 74 65 72  74 68 75 72 2c 63 3d 63   o=Winterthur,c=c  
  0030:  68 80 07 76 66 74 76 66  74 31                     h..vftvft1        
ber_get_next
do_bind
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x0023d250 ptr=0x0023d253 end=0x0023d28a len=55
  0000:  60 35 02 01 03 04 27 75  69 64 3d 63 32 34 38 38   `5....'uid=c2488  
  0010:  34 33 2c 6f 75 3d 50 65  6f 70 6c 65 2c 6f 3d 57   43,ou=People,o=W  
  0020:  69 6e 74 65 72 74 68 75  72 2c 63 3d 63 68 80 07   interthur,c=ch..  
  0030:  76 66 74 76 66 74 31                               vftvft1           
ber_scanf fmt (m}) ber:
ber_dump: buf=0x0023d250 ptr=0x0023d281 end=0x0023d28a len=9
  0000:  00 07 76 66 74 76 66 74  31                        ..vftvft1         
>>> dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>
=> ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)
<= ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=c248843,ou=People,o=Winterthur,c=ch,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=c248843,ou=people,o=winterthur,c=ch,16)=0
<<< dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>, <uid=c248843,ou=people,o=winterthur,c=ch>
do_bind: version=3 dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
conn=6 op=4 BIND dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
==> bdb_bind: dn: uid=c248843,ou=People,o=Winterthur,c=ch
bdb_dn2entry_rw("uid=c248843,ou=people,o=winterthur,c=ch")
=> bdb_dn2id_matched( "uid=c248843,ou=people,o=winterthur,c=ch" )
====> bdb_cache_find_entry_dn2id("uid=c248843,ou=people,o=winterthur,c=ch"): 15633 (1 tries)
====> bdb_cache_find_entry_id( 15633 ) "uid=c248843,ou=People,o=Winterthur,c=ch" (found) (1 tries)
=> access_allowed: auth access to "uid=c248843,ou=People,o=Winterthur,c=ch" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=c248843,ou=People,o=Winterthur,c=ch attr: userPassword
=> acl_mask: access to entry "uid=c248843,ou=People,o=Winterthur,c=ch", attr "userPassword" requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager
=> string_expand: pattern:  cn=Manager
=> string_expand: expanded: cn=Manager
=> regex_matches: string:        
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
====> bdb_cache_return_entry_r( 15633 ): returned (0)
do_bind: v3 bind: "uid=c248843,ou=People,o=Winterthur,c=ch" to "uid=c248843,ou=People,o=Winterthur,c=ch"
send_ldap_result: conn=6 op=4 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=5 tag=97 err=0
ber_flush: 14 bytes to sd 12
  0000:  30 0c 02 01 05 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 05 61 07 0a  01 00 04 00 04 00         0....a........    
conn=6 op=4 RESULT tag=97 err=0 text=
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=7
  0000:  30 05 02 01 06 42 00                               0....B.           
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x0023c458 ptr=0x0023c458 end=0x0023c45d len=5
  0000:  02 01 06 42 00                                     ...B.             
ber_get_next
do_unbind
ldap_read: want=9, got=0

ber_get_next on fd 12 failed errno=0 (Error 0)
connection_read(12): input error=-2 id=6, closing.
conn=6 op=5 UNBIND
connection_closing: readying conn=6 sd=12 for close
connection_close: deferring conn=6 sd=12
daemon: select: listen=7 active_threads=1 tvp=NULL
connection_resched: attempting closing conn=6 sd=12
daemon: select: listen=8 active_threads=1 tvp=NULL
connection_close: conn=6 sd=12
daemon: activity on 1 descriptors
daemon: removing 12
conn=6 fd=12 closed
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL


What am I doing wrong?

Thanx a lot, vadim Tarassov.

-------------------------------------------------------
Vadim Tarassov
e-Platform Solution Center
Telefon +41 52 261 73 22
Fax +41 52 261 46 40
mailto:vadim.tarassov@winterthur.ch
-------------------------------------------------------
Winterthur Versicherungen
General Guisan-Str. 40
8401 Winterthur
http://www.winterthur.com
-------------------------------------------------------