From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PDgBM-00022z-8A for garchives@archives.gentoo.org; Wed, 03 Nov 2010 16:27:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4F403E0712; Wed, 3 Nov 2010 16:26:16 +0000 (UTC) Received: from mail-ey0-f181.google.com (mail-ey0-f181.google.com [209.85.215.181]) by pigeon.gentoo.org (Postfix) with ESMTP id E45FAE0712 for ; Wed, 3 Nov 2010 16:26:15 +0000 (UTC) Received: by eyb6 with SMTP id 6so393230eyb.40 for ; Wed, 03 Nov 2010 09:26:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:sender:received:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=rVTKdqaE2ssjNrCAdbchMze1aGR08KSN5u6GdrFyuRg=; b=eUWzhr0skn8rJMJoMiQf00+Q5cFARqIzr0Y6fXKRvHRSLk3RrsCXlBrlYwP1h3A1Sb suCjmdG+WkMMj3waWNcfGfl1mgJfMuwyaPVn+9V9crb5iAwRaG/F+n8//yXBU5c8Z/ME KMSsHr32qREC5j/gglMRDL4BhgX/cP3yFWcNc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; b=FgiJLJKxZo6GHKAuPKqlWzHkf8z3T6OvDQXI2ROQzZFU/ULhqyfJrJrD28/ba4mmJD aYYB6trtS8eKyAQ4AkTVWR922HkT33HZNazKT0sP1lABg4H97hzjVO6wps/33BP+skU+ bWbac2l539jPxMUVIla/t06Y5O5JmChkDeWNM= Received: by 10.213.112.133 with SMTP id w5mr4653981ebp.96.1288801575224; Wed, 03 Nov 2010 09:26:15 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Sender: jz.penguin@gmail.com Received: by 10.220.100.16 with HTTP; Wed, 3 Nov 2010 09:25:49 -0700 (PDT) From: James Date: Wed, 3 Nov 2010 12:25:49 -0400 X-Google-Sender-Auth: 1F_FzXnoZLevLbtH4vsTAtWBKws Message-ID: Subject: [gentoo-user] ldap client authentication To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=0015174c121613c43004942880b1 X-Archives-Salt: fe9e3490-ba97-42a9-9eb9-308768b61159 X-Archives-Hash: ec6bc28fed81cdafd726065e4ea81ba5 --0015174c121613c43004942880b1 Content-Type: text/plain; charset=ISO-8859-1 Folks, I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress. Here's the rundown of how things are configured (fairly straight forward): - OpenDS server has the following entry (gathered directly from ldapsearch output), below. Note that clearly the LDAP server is properly configured if it's responding to an ldapsearch on the client with no problems. ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount" dn: cn=tb,ou=it,dc=whatever,dc=com uid: tb initials: tb objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: top givenName: Thomas cn: tb sn: Bellview telephoneNumber: 333.555.3333 homeDirectory: /home/tb uidNumber: 10001 mail: tb@whatever.com gidNumber: 10001 - /etc/ldap.conf base ou=it,dc=whatever,dc=com uri ldaps://auth.whatever.com ldap_version 3 tls_reqcert allow pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid nss_base_passwd ou=it,dc=whatever,dc=com nss_base_shadow ou=it,dc=whatever,dc=com nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data timelimit 5 bind_timelimit 5 - Likewise, /etc/openldap/ldap.conf BASE ou=it,dc=whatever,dc=com URI ldaps://auth.whatever.com TLS_REQCERT allow #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never Simple problem: authentication fails. On the CLIENT I see the following in the log files: ==> auth.log <== Nov 3 06:26:03 s_dgram@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com On the SERVER I see the following: [03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to= 10.1.1.115:389 protocol=LDAP [03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0 authDN="" etime=0 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0 nentries=1 etime=1 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0 nentries=1 etime=1 [03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to= 10.1.1.115:389 protocol=LDAP [03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0 authDN="" etime=0 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0 nentries=1 etime=0 [03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0 authDN="" etime=0 [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect" [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect" [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect" Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it appears in the SERVER's log, it returns the user. ldap ~ # ldapsearch -H ldap://auth.whatever.com -b "ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectclass=posixAccount)(uid=tb)) # requesting: ALL # # tb, it, whatever.com dn: cn=tb,ou=it,dc=whatever,dc=com uid: tb initials: tb objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: top givenName: Thomas cn: tb sn: Bellview telephoneNumber: 333.555.3333 homeDirectory: /home/tb uidNumber: 10001 mail: tb@whatever.com gidNumber: 10001 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This has me pulling my hairs out. Clearly the manual ldapsearch works. The only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL" breaking the query; clearly the applied filters work without any issues. Thoughts / ideas would be greatly appreciated. -james --0015174c121613c43004942880b1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Folks,

I'm attempting to set up LDAP authentication against my O= penDS server on a Gentoo box. I've been struggling with this for severa= l days now with no progress.

Here's the rundown of how things ar= e configured (fairly straight forward):

- OpenDS server has the following entry (gathered directly from ldapsea= rch output), below. Note that clearly the LDAP server is properly configure= d if it's responding to an ldapsearch on the client with no problems.

ldap ~ # ldapsearch -H ldap://= auth.whatever.com "objectclass=3DposixAccount"
dn: cn=3Dtb= ,ou=3Dit,dc=3Dwhatever,dc=3Dcom
uid: tb
initials: tb
objectClass: = person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectCl= ass: posixAccount
objectClass: top
givenName: Thomas
cn: tb
sn:= Bellview
telephoneNumber: 333.555.3333
homeDirectory: /home/tb
uidNumber: 10001
mail: tb@whatever.co= m
gidNumber: 10001


- /etc/ldap.conf
base ou=3Dit,dc=3D= whatever,dc=3Dcom
uri ldaps://auth.= whatever.com
ldap_version 3
tls_reqcert allow
pam_password exop
pam_filter obje= ctclass=3DposixAccount
pam_login_attribute uid
pam_member_attribute m= emberUid
nss_base_passwd ou=3Dit,dc=3Dwhatever,dc=3Dcom
nss_base_shad= ow ou=3Dit,dc=3Dwhatever,dc=3Dcom
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,ga= mes,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,p= roxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,u= ucp,www-data
timelimit 5
bind_timelimit 5


- Likewise, /etc/openldap/ldap.c= onf
BASE=A0=A0 ou=3Dit,dc=3Dwhatever,dc=3Dcom
URI=A0=A0=A0=A0 ldaps:/= /auth.whatever.com
TLS_REQCERT = allow
#SIZELIMIT=A0=A0=A0=A0=A0 12
#TIMELIMIT=A0=A0=A0=A0=A0 15
#DEREF=A0=A0=A0=A0=A0=A0=A0=A0=A0 never
=

Simple problem: authentication fails. On the CLIENT I see the follo= wing in the log files:

=3D=3D> auth.log <=3D=3D
Nov=A0 3 06= :26:03 s_dgram@client.whatev= er.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com


On the SERVER I see the following:

[03/Nov/2010:06:27:05 -04= 00] CONNECT conn=3D314 from=3D10.1.1.16= 6:44879 to=3D10.1.1.115:389 proto= col=3DLDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=3D314 op=3D0 msgID=3D1 type=3DSI= MPLE dn=3D""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=3D314 = op=3D0 msgID=3D1 result=3D0 authDN=3D"" etime=3D0
[03/Nov/2010= :06:27:05 -0400] SEARCH REQ conn=3D314 op=3D1 msgID=3D2 base=3D"ou=3Di= t,dc=3Dwhatever,dc=3Dcom" scope=3DwholeSubtree filter=3D"(&(o= bjectClass=3DposixAccount)(uid=3Dtb))" attrs=3D"uid,userPassword,= uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectCla= ss"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=3D314 op=3D1 msgID=3D2 result= =3D0 nentries=3D1 etime=3D1
[03/Nov/2010:06:27:05 -0400] SEARCH REQ conn= =3D314 op=3D2 msgID=3D3 base=3D"ou=3Dit,dc=3Dwhatever,dc=3Dcom" s= cope=3DwholeSubtree filter=3D"(&(objectClass=3DposixAccount)(uid= =3Dtb))" attrs=3D"uid,userPassword,uidNumber,gidNumber,cn,homeDir= ectory,loginShell,gecos,description,objectClass"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=3D314 op=3D2 msgID=3D3 result= =3D0 nentries=3D1 etime=3D1
[03/Nov/2010:06:27:05 -0400] CONNECT conn=3D= 315 from=3D10.1.1.166:44879 to=3D10.1.1.115:389 protocol=3DLDAP
[03/Nov/2010:06:27:05 -0400] BIND REQ conn=3D315 op=3D0 msgID=3D1 type=3DSI= MPLE dn=3D""
[03/Nov/2010:06:27:05 -0400] BIND RES conn=3D315 = op=3D0 msgID=3D1 result=3D0 authDN=3D"" etime=3D0
[03/Nov/2010= :06:27:05 -0400] SEARCH REQ conn=3D315 op=3D1 msgID=3D2 base=3D"ou=3Di= t,dc=3Dwhatever,dc=3Dcom" scope=3DwholeSubtree filter=3D"(&(o= bjectclass=3DposixAccount)(uid=3Dtb))" attrs=3D"ALL"
[03/Nov/2010:06:27:05 -0400] SEARCH RES conn=3D315 op=3D1 msgID=3D2 result= =3D0 nentries=3D1 etime=3D0
[03/Nov/2010:06:27:05 -0400] BIND REQ conn= =3D315 op=3D2 msgID=3D3 type=3DSIMPLE dn=3D""
[03/Nov/2010:06:= 27:05 -0400] BIND RES conn=3D315 op=3D2 msgID=3D3 result=3D0 authDN=3D"= ;" etime=3D0
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=3D315 reason=3D"Client Di= sconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT conn=3D314 reason= =3D"Client Disconnect"
[03/Nov/2010:06:27:07 -0400] DISCONNECT= conn=3D309 reason=3D"Client Disconnect"


Looks fine, right? Well not really. If I run an ldapsearch *exactly= * as it appears in the SERVER's log, it returns the user.

ldap ~= # ldapsearch -H ldap://auth.whatever.= com -b "ou=3Dit,dc=3Dwhatever,dc=3Dcom" "(&(objectcl= ass=3DposixAccount)(uid=3Dtb))"
# extended LDIF
#
# LDAPv3
# base <ou=3Dit,dc=3Dwhatever,dc=3Dc= om> with scope subtree
# filter: (&(objectclass=3DposixAccount)(u= id=3Dtb))
# requesting: ALL
#

# tb, it, whatever.com
dn: cn=3Dtb,ou=3Dit,dc=3Dwhatever,dc=3Dcom
uid: tb
initials: tb
ob= jectClass: person
objectClass: inetOrgPerson
objectClass: organizatio= nalPerson
objectClass: posixAccount
objectClass: top
givenName: Th= omas
cn: tb
sn: Bellview
telephoneNumber: 333.555.3333
homeDirectory: /= home/tb
uidNumber: 10001
mail: tb@= whatever.com
gidNumber: 10001

# search result
search: 2 result: 0 Success

# numResponses: 2
# numEntries: 1


Th= is has me pulling my hairs out. Clearly the manual ldapsearch works. The on= ly thing I can think of is the "scope=3DwholeSubtree" or the &quo= t;attrs=3DALL" breaking the query; clearly the applied filters work wi= thout any issues.

Thoughts / ideas would be greatly appreciated.

-james
--0015174c121613c43004942880b1--