[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: passwd with pam_ldap and open ldap
It is me again,
sorry, it was like this:
openldap has been compiled with --enable-crypt=no (default). PADL writes that
pam_password clear
is default, but apperantly not.
pam_password clear
in /etc/ldap.conf helped a lot.
Thanx a lot for your attention,
vadim tarassov.
-----Ursprüngliche Nachricht-----
Von: Tarassov Vadim [mailto:Vadim.Tarassov@winterthur.ch]
Gesendet: Montag, 2. September 2002 18:29
An: openldap-software@OpenLDAP.org; 'nssldap@padl.com';
'pamldap@padl.com'
Betreff: passwd with pam_ldap and open ldap
Hallo everybody,
somehow I can not manage to bring passwd to work witm pam_ldap on solaris 2.6.
I am not using tls/ssl or whatsoever, just simple authetication at the moment
here is my acl:
access to attr=userPassword by self write write by anonymous auth auth by * none
access to * by * read
that's what passwd writes me
passwd: Changing password for c248843
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Unknown error
Permission denied
c248843 /tmp $
Here is my /etc/pam.conf
c248843 /tmp $ cat /etc/pam.conf
#ident "@(#)pam.conf 1.19 95/11/30 SMI"
#
# PAM configuration
#
# Authentication management
#
#login auth sufficient /usr/lib/security/pam_ldap.so debug
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_dial_auth.so.1
telnet auth sufficient /usr/lib/security/pam_ldap.so
#
# rlogin auth sufficient /usr/lib/security/pam_ldap.so.1 use_first_pass
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1
#
dtlogin auth required /usr/lib/security/pam_unix.so.1
#
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth required /usr/lib/security/pam_unix.so.1
#
# Account management
#
# login account required /usr/lib/security/pam_ldap.so
login account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
#
other account required /usr/lib/security/pam_unix.so.1
#
# Session management
#
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
# other password required /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_ldap.so
here is my /etc/ldap.conf
#
# ldap.conf
# created by Vadim Tarassov (7322)
#
# Host we will look for LDAP server
# Must be resolved without LDAP!
host 127.0.0.1
port 389
uri ldap://127.0.0.1
base o=Winterthur,c=CH
pam_password exop
nss_base_passwd ou=People,o=Winterthur,c=CH?one
nss_base_shadow ou=People,o=Winterthur,c=CH?one
#binddn cn=Manager
#bindpw secret
and that's a part of the openldap log:
>>> dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>
=> ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)
<= ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=c248843,ou=People,o=Winterthur,c=ch,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=c248843,ou=people,o=winterthur,c=ch,16)=0
<<< dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>, <uid=c248843,ou=people,o=winterthur,c=ch>
do_bind: version=3 dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
conn=6 op=2 BIND dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
==> bdb_bind: dn: uid=c248843,ou=People,o=Winterthur,c=ch
bdb_dn2entry_rw("uid=c248843,ou=people,o=winterthur,c=ch")
=> bdb_dn2id_matched( "uid=c248843,ou=people,o=winterthur,c=ch" )
====> bdb_cache_find_entry_dn2id("uid=c248843,ou=people,o=winterthur,c=ch"): 15633 (1 tries)
====> bdb_cache_find_entry_id( 15633 ) "uid=c248843,ou=People,o=Winterthur,c=ch" (found) (1 tries)
=> access_allowed: auth access to "uid=c248843,ou=People,o=Winterthur,c=ch" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=c248843,ou=People,o=Winterthur,c=ch attr: userPassword
=> acl_mask: access to entry "uid=c248843,ou=People,o=Winterthur,c=ch", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager
=> string_expand: pattern: cn=Manager
=> string_expand: expanded: cn=Manager
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
====> bdb_cache_return_entry_r( 15633 ): returned (0)
do_bind: v3 bind: "uid=c248843,ou=People,o=Winterthur,c=ch" to "uid=c248843,ou=People,o=Winterthur,c=ch"
send_ldap_result: conn=6 op=2 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=3 tag=97 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 03 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 03 61 07 0a 01 00 04 00 04 00 0....a........
conn=6 op=2 RESULT tag=97 err=0 text=
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=9
0000: 30 0c 02 01 04 60 07 02 01 0....`...
ldap_read: want=5, got=5
0000: 03 04 00 80 00 .....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x00275268 ptr=0x00275268 end=0x00275274 len=12
0000: 02 01 04 60 07 02 01 03 04 00 80 00 ...`........
ber_get_next
do_bind
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
daemon: select: listen=7 active_threads=1 tvp=NULL
ber_dump: buf=0x00275268 ptr=0x0027526b end=0x00275274 len=9
0000: 60 07 02 01 03 04 00 80 00 `........
ber_scanf fmt (m}) ber:
ber_dump: buf=0x00275268 ptr=0x00275272 end=0x00275274 len=2
0000: 00 00 ..
daemon: select: listen=8 active_threads=1 tvp=NULL
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
conn=6 op=3 BIND dn="" method=128
send_ldap_result: conn=6 op=3 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=4 tag=97 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 04 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 04 61 07 0a 01 00 04 00 04 00 0....a........
conn=6 op=3 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=9
0000: 30 3a 02 01 05 60 35 02 01 0:...`5..
ldap_read: want=51, got=51
0000: 03 04 27 75 69 64 3d 63 32 34 38 38 34 33 2c 6f ..'uid=c248843,o
0010: 75 3d 50 65 6f 70 6c 65 2c 6f 3d 57 69 6e 74 65 u=People,o=Winte
0020: 72 74 68 75 72 2c 63 3d 63 68 80 07 76 66 74 76 rthur,c=ch..vftv
0030: 66 74 31 ft1
ber_get_next: tag 0x30 len 58 contents:
ber_dump: buf=0x0023d250 ptr=0x0023d250 end=0x0023d28a len=58
0000: 02 01 05 60 35 02 01 03 04 27 75 69 64 3d 63 32 ...`5....'uid=c2
0010: 34 38 38 34 33 2c 6f 75 3d 50 65 6f 70 6c 65 2c 48843,ou=People,
0020: 6f 3d 57 69 6e 74 65 72 74 68 75 72 2c 63 3d 63 o=Winterthur,c=c
0030: 68 80 07 76 66 74 76 66 74 31 h..vftvft1
ber_get_next
do_bind
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x0023d250 ptr=0x0023d253 end=0x0023d28a len=55
0000: 60 35 02 01 03 04 27 75 69 64 3d 63 32 34 38 38 `5....'uid=c2488
0010: 34 33 2c 6f 75 3d 50 65 6f 70 6c 65 2c 6f 3d 57 43,ou=People,o=W
0020: 69 6e 74 65 72 74 68 75 72 2c 63 3d 63 68 80 07 interthur,c=ch..
0030: 76 66 74 76 66 74 31 vftvft1
ber_scanf fmt (m}) ber:
ber_dump: buf=0x0023d250 ptr=0x0023d281 end=0x0023d28a len=9
0000: 00 07 76 66 74 76 66 74 31 ..vftvft1
>>> dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>
=> ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)
<= ldap_bv2dn(uid=c248843,ou=People,o=Winterthur,c=ch,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=c248843,ou=People,o=Winterthur,c=ch,272)=0
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=c248843,ou=people,o=winterthur,c=ch,16)=0
<<< dnPrettyNormal: <uid=c248843,ou=People,o=Winterthur,c=ch>, <uid=c248843,ou=people,o=winterthur,c=ch>
do_bind: version=3 dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
conn=6 op=4 BIND dn="uid=c248843,ou=People,o=Winterthur,c=ch" method=128
==> bdb_bind: dn: uid=c248843,ou=People,o=Winterthur,c=ch
bdb_dn2entry_rw("uid=c248843,ou=people,o=winterthur,c=ch")
=> bdb_dn2id_matched( "uid=c248843,ou=people,o=winterthur,c=ch" )
====> bdb_cache_find_entry_dn2id("uid=c248843,ou=people,o=winterthur,c=ch"): 15633 (1 tries)
====> bdb_cache_find_entry_id( 15633 ) "uid=c248843,ou=People,o=Winterthur,c=ch" (found) (1 tries)
=> access_allowed: auth access to "uid=c248843,ou=People,o=Winterthur,c=ch" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=c248843,ou=People,o=Winterthur,c=ch attr: userPassword
=> acl_mask: access to entry "uid=c248843,ou=People,o=Winterthur,c=ch", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: cn=Manager
=> string_expand: pattern: cn=Manager
=> string_expand: expanded: cn=Manager
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
====> bdb_cache_return_entry_r( 15633 ): returned (0)
do_bind: v3 bind: "uid=c248843,ou=People,o=Winterthur,c=ch" to "uid=c248843,ou=People,o=Winterthur,c=ch"
send_ldap_result: conn=6 op=4 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=5 tag=97 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 05 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 05 61 07 0a 01 00 04 00 04 00 0....a........
conn=6 op=4 RESULT tag=97 err=0 text=
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 12r
daemon: read activity on 12
connection_get(12)
connection_get(12): got connid=6
connection_read(12): checking for input on id=6
ber_get_next
ldap_read: want=9, got=7
0000: 30 05 02 01 06 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x0023c458 ptr=0x0023c458 end=0x0023c45d len=5
0000: 02 01 06 42 00 ...B.
ber_get_next
do_unbind
ldap_read: want=9, got=0
ber_get_next on fd 12 failed errno=0 (Error 0)
connection_read(12): input error=-2 id=6, closing.
conn=6 op=5 UNBIND
connection_closing: readying conn=6 sd=12 for close
connection_close: deferring conn=6 sd=12
daemon: select: listen=7 active_threads=1 tvp=NULL
connection_resched: attempting closing conn=6 sd=12
daemon: select: listen=8 active_threads=1 tvp=NULL
connection_close: conn=6 sd=12
daemon: activity on 1 descriptors
daemon: removing 12
conn=6 fd=12 closed
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: select: listen=8 active_threads=1 tvp=NULL
What am I doing wrong?
Thanx a lot, vadim Tarassov.
-------------------------------------------------------
Vadim Tarassov
e-Platform Solution Center
Telefon +41 52 261 73 22
Fax +41 52 261 46 40
mailto:vadim.tarassov@winterthur.ch
-------------------------------------------------------
Winterthur Versicherungen
General Guisan-Str. 40
8401 Winterthur
http://www.winterthur.com
-------------------------------------------------------