[Fedora-directory-users] ssh login fail

Steven Jones Steven.Jones at vuw.ac.nz
Mon Sep 10 22:08:41 UTC 2007 

8><----

I would start with the Fedora DS access log.  See if ssh is making a 
connection to Fedora DS, if so, see what types of operations are being 
sent, and the responses to those operations.  For searches, see what the

base DN, filter, and attributes being requested are.

This helped.....the ldapsearch was being logged but the pam search was
not so....

I blew away /etc/ldap.conf and sym linked it to /etc/openldap/ldap.conf,
then blindly added these lines to its somewhat short form,

=======
scope sub
suffix          "dc=vuw,dc=ac,dc=nz"
#TLS_CACERTDIR /etc/openldap/cacerts
pam_password exop
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group  ou=Group,dc=cognifide,dc=pl
nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl
===========

The log now shows,

8><-----
PosixAccount)(uid=root))" attrs=ALL
[11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101
nentries=0 etime=0
[11/Sep/2007:10:01:01 +1200] conn=200 op=2 RESULT err=32 tag=101
nentries=0 etime=0
[11/Sep/2007:10:01:01 +1200] conn=200 op=3 SRCH
base="ou=Group,dc=cognifide,dc=pl" scope=2
filter="(&(objectClass=posixGroup)(memberUid=root))" attrs="gidNumber"
[11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101
nentries=0 etime=0
[11/Sep/2007:10:01:01 +1200] conn=200 op=3 RESULT err=32 tag=101
nentries=0 etime=0
[11/Sep/2007:10:01:01 +1200] conn=200 op=-1 fd=67 closed error 104
(Connection reset by peer) - TCP connection reset by peer.

So pam is now actually querying the LDAP server it seems, it is not
getting it right but it's a small step.

I would seem to need to do some config around this area,

#
# LDAP Defaults
#
 

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
 

#BASE   dc=example, dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
 

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never
HOST 130.195.87.249
BASE dc=vuw,dc=ac,dc=nz
ssl no
scope sub
suffix          "dc=vuw,dc=ac,dc=nz"
#TLS_CACERTDIR /etc/openldap/cacerts
pam_password exop
ldap_version 3
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberuid
nss_base_passwd ou=Computers,dc=cognifide,dc=pl
nss_base_passwd ou=People,dc=cognifide,dc=pl
nss_base_shadow ou=People,dc=cognifide,dc=pl
nss_base_group  ou=Group,dc=cognifide,dc=pl
nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl



As I still get no reply/successful login.

Regards

Steven

More information about the Fedora-directory-users mailing list