Rich Megginson
2008-Mar-04 15:23 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Giovanni Mancuso wrote:> Hi to all, > i have a problem with pam_passthru module. > I use Fedora DS 1.04 and configure it with: > > pamIDMapMethod: RDN > pamIDAttr: mail > pamIDMapMethod: ENTRY > > If i try to authenticate i have: > pam_passthru-plugin - Could not find BIND dn > uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No > such object)It means the entry uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int does not exist.> > Any idea? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Giovanni Mancuso
2008-Mar-04 15:34 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Rich Megginson
2008-Mar-04 15:44 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Giovanni Mancuso wrote:> But the entry realy exist.You have confirmed this with ldapsearch?> How can i debug it??The code is pretty clear on this point - it does an internal search for uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int and it is not there. However, if you turn on the TRACE debug log level you might find some clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting One more thing - in your config you have both pamIDMapMethod: RDN and pamIDMapMethod: ENTRY I''m assuming you want to use the mail attribute value as the value to pass to PAM. So you should get rid of the pamIDMapMethod: RDN - I don''t think that is causing the problem but you should fix it to eliminate that as a potential cause.> > Thanks > > Rich Megginson ha scritto: >> Giovanni Mancuso wrote: >>> Hi to all, >>> i have a problem with pam_passthru module. >>> I use Fedora DS 1.04 and configure it with: >>> >>> pamIDMapMethod: RDN >>> pamIDAttr: mail >>> pamIDMapMethod: ENTRY >>> >>> If i try to authenticate i have: >>> pam_passthru-plugin - Could not find BIND dn >>> uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No >>> such object) >> It means the entry >> uid=usetest,ou=people,dc=castest.it,dc=babel,dc=int does not exist. >>> >>> Any idea? >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Giovanni Mancuso
2008-Mar-04 16:01 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Rich Megginson ha scritto:> However, if you turn on the TRACE debug log level you might find some > clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > One more thing - in your config you have bothno, sorry, i meant: the pam_passthru auth works if I set pamIDMapMethod: RDN but it maps the wrong user then if I change the dse.ldif and put pamIDMapMethod: ENTRY pamIDAttr: mail then the slapi_something_() won''t find the entry even if it''s there... anyway yes, I want to use the email as the pam userid. I wish it''s clearer now.. Thx, Giovanni
Rich Megginson
2008-Mar-04 16:52 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Giovanni Mancuso wrote:> Rich Megginson ha scritto: >> However, if you turn on the TRACE debug log level you might find some >> clues - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> >> One more thing - in your config you have both > no, sorry, i meant: > the pam_passthru auth works if I set > pamIDMapMethod: RDN > but it maps the wrong userOk. So this means you have a user uid=username whose pam login is not "username".> > then if I change the dse.ldif and put > pamIDMapMethod: ENTRY > pamIDAttr: mail > then the slapi_something_() won''t find the entry even if it''s there... > anyway yes, I want to use the email as the pam userid. > > I wish it''s clearer now..Yes. So I think the next step will be to turn on TRACE level debuggging in the error log to see why it cannot find your entry.> > Thx, > Giovanni > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
Giovanni Mancuso
2008-Mar-04 18:05 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Rich Megginson
2008-Mar-05 15:21 UTC
Re: [Fedora-directory-users] Prolem with pam_passthru
Giovanni Mancuso wrote:> The TRACE is: > > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.2) > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b948, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.8.5.1) > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b8a8, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 1 (FOUND) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls 1 controls > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b808, handle=3 > [04/Mar/2008:19:04:15 +0100] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.16) > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - <= slapi_control_present 0 (NOT FOUND) > [04/Mar/2008:19:04:15 +0100] - do_bind: version 3 method 0x80 dn > uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int > [04/Mar/2008:19:04:15 +0100] - mapping tree selected backend : userRoot > [04/Mar/2008:19:04:15 +0100] - Calling plugin ''Legacy replication > preoperation plugin'' #3 type 401 > [04/Mar/2008:19:04:15 +0100] - Calling plugin ''Multimaster replication > preoperation plugin'' #4 type 401 > [04/Mar/2008:19:04:15 +0100] - Calling plugin ''PAM Pass Through Auth'' > #5 type 401 > [04/Mar/2008:19:04:15 +0100] - allow_operation: component identity is NULLLooks like the bug is here. The component identity is NULL when it should not be. Can you please file a bug about this issue?> [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Could not find BIND > dn uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int (error 32 - No > such object) > [04/Mar/2008:19:04:15 +0100] pam_passthru-plugin - Bind DN > [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or > not found > [04/Mar/2008:19:04:15 +0100] - => send_ldap_result 32::Bind DN > [uid=usertest,ou=people,dc=castest.it,dc=babel,dc=int] is invalid or > not found > [04/Mar/2008:19:04:15 +0100] - add_pb > [04/Mar/2008:19:04:15 +0100] - <= send_ldap_result > [04/Mar/2008:19:04:15 +0100] - get_pb > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b8a8, handle=3 > [04/Mar/2008:19:04:15 +0100] - do_unbind > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - => get_ldapmessage_controls > [04/Mar/2008:19:04:15 +0100] - => slapi_reslimit_get_integer_limit() > conn=0xb669b808, handle=3 > [04/Mar/2008:19:04:15 +0100] - <= get_ldapmessage_controls no controls > [04/Mar/2008:19:04:15 +0100] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [04/Mar/2008:19:04:15 +0100] - defbackend_noop > [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend flushing > [04/Mar/2008:19:04:16 +0100] - ldbm backend done flushing > > > Rich Megginson ha scritto: >> Giovanni Mancuso wrote: >>> Rich Megginson ha scritto: >>>> However, if you turn on the TRACE debug log level you might find >>>> some clues - >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> >>>> One more thing - in your config you have both >>> no, sorry, i meant: >>> the pam_passthru auth works if I set >>> pamIDMapMethod: RDN >>> but it maps the wrong user >> Ok. So this means you have a user uid=username whose pam login is >> not "username". >>> >>> then if I change the dse.ldif and put >>> pamIDMapMethod: ENTRY >>> pamIDAttr: mail >>> then the slapi_something_() won''t find the entry even if it''s there... >>> anyway yes, I want to use the email as the pam userid. >>> >>> I wish it''s clearer now.. >> Yes. So I think the next step will be to turn on TRACE level >> debuggging in the error log to see why it cannot find your entry. >>> >>> Thx, >>> Giovanni >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >