Re: Passwords on FreeBSD
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Passwords on FreeBSD
- From: Gerrit Kühn <gerrit.kuehn [at] aei.mpg.de>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Passwords on FreeBSD
- Date: Wed, 25 May 2016 12:33:25 +0200
On Wed, 25 May 2016 12:15:11 +0200 (CEST) Arthur de Jong
<arthur@arthurdejong.org> wrote about Re: Passwords on FreeBSD:
ADJ> This means that the LDAP authentication step failed. You can run
ADJ> nslcd in debug mode for more details but one relatively common thing
With debug it says
---
nslcd: DEBUG: add_uri(ldap://<ip>/)
nslcd: version 0.8.14 starting
nslcd: DEBUG: initgroups("nslcd",928) done
nslcd: DEBUG: setgid(928) done
nslcd: DEBUG: setuid(928) done
nslcd: accepting connections
nslcd: [00834d] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: [00834d] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_initialize(ldap://<ip>/)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_set_rebind_proc()
nslcd: [00834d] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [00834d] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [00834d] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [00834d] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://<ip>/")
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [00834d] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [ac75e1] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: [ac75e1] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_initialize(ldap://<ip>/)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_set_rebind_proc()
nslcd: [ac75e1] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://<ip>/")
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [ac75e1] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [6f59b2] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: [6f59b2] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_initialize(ldap://<ip>/)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_set_rebind_proc()
nslcd: [6f59b2] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://<ip>/")
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [6f59b2] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [6a1853] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [6a1853] <authc="gekueh"> DEBUG: nslcd_pam_authc("gekueh","sshd","***")
nslcd: [6a1853] <authc="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [6a1853] <authc="gekueh"> DEBUG:
myldap_search(base="uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de",
filter="(objectClass=*)")
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_initialize(ldap://<ip>/)
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_set_rebind_proc()
nslcd: [6a1853] <authc="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [6a1853] <authc="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [6a1853] <authc="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [6a1853] <authc="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [6a1853] <authc="gekueh"> DEBUG:
ldap_simple_bind_s("uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de","***")
(uri="ldap://<ip>/")
nslcd: [6a1853] <authc="gekueh"> DEBUG: failed to bind to LDAP server
ldap://<ip>/: Invalid credentials
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_unbind()
nslcd: [6a1853] <authc="gekueh"> uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de:
lookup failed: Invalid credentials
nslcd: [6a1853] <authc="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=shadowAccount)(uid=gekueh))")
nslcd: [6a1853] <authc="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [636f04] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [636f04] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_initialize(ldap://<ip>/)
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_set_rebind_proc()
nslcd: [636f04] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [636f04] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [636f04] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [636f04] <passwd="gekueh"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://<ip>/")
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [636f04] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [0db58f] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: [0db58f] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [0db58f] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [0db58f] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [0b1daf] DEBUG: connection from pid=-1 uid=0 gid=0
nslcd: [0b1daf] <passwd="gekueh"> DEBUG:
myldap_search(base="dc=aei,dc=mpg,dc=de",
filter="(&(objectClass=posixAccount)(uid=gekueh))")
nslcd: [0b1daf] <passwd="gekueh"> DEBUG: ldap_result():
uid=gekueh,cn=users,dc=aei,dc=mpg,dc=de
nslcd: [0b1daf] <passwd="gekueh"> DEBUG: ldap_result(): end of results (1 total)
---
ADJ> is that after an LDAP BIND operation (where the password is checked)
ADJ> nslcd performs a search operation to check if the BIND operation
ADJ> actually succeeded. There are (were) some LDAP servers that in some
ADJ> cases don't give an error on BIND.
The server is Linux (SLES with openldap presumeably, I'll have to check for the
exact version).
cu
Gerrit
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/