OpenSSH public key problem with Solaris 10 and LDAP users?
Alexander Skwar
listen at alexander.skwar.name
Tue Aug 14 23:43:04 EST 2007
Peter Stuge <stuge-openssh-unix-dev at cdy.org> wrote:
> On Tue, Aug 14, 2007 at 02:29:17PM +0200, Alexander Skwar wrote:
>> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 835736 auth.debug]
>> | __ns_ldap_getAcctMgmt() failed for testme with error 7
>> |
>> | ==> ./remote/winds06/auth/warning <==
>> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 778364 auth.warning] libsldap:
>> | server 127.0.0.1 does not provide account information without password
>
> Maybe this is a hint.
Yep. Public Key auth is certainly auth without a password :) But why
don't I get this message, when I login with a good user?
>> | ==> ./remote/winds06/local4/debug <==
>> | Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <=
>> | bdb_equality_candidates: (memberUid) index_param failed (18) Aug 14
>> | 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <=
>> | bdb_equality_candidates: (uid) index_param failed (18)
>
> Or this.
That's just about a missing index. Important if you're interested
in performance.
And I also get this for good users.
>> "error 7"? What's that?
>
> $ qlist openldap|grep include|xargs grep ERR|grep 7
>
> gave these candidates:
>
> /usr/include/ldap.h:#define LDAP_FILTER_ERROR (-7)
> /usr/include/ldap.h:#define LDAP_URL_ERR_BADATTRS 0x07 /* bad (or
> missing) attributes */
> /usr/include/ldap_schema.h:#define LDAP_SCHERR_BADDESC 7
Thanks.
>> Anyway. Still looks like PAM / LDAP issue.
>
> Yes, it is.
With a strange coincidence with SSH.
>> But what I don't get is, why I *am* able to login as some users
>> with a pubkey. Any ideas about why that might be?
>
> Something is different in the LDAP data stored for the users,
> probably because of how they were created. I hope you can find what
> it is.
That's the thing - I cannot... :( I copied the new user, using the
data from a working user. I also tried to create a new user "from
scratch". Having a look at the LDIF exports, I cannot see any differences.
Anyway. Probably really a LDAP thing. Sadly we're using Solaris
and not Linux - in Solaris, everything is just soo much more
complicated...
Oh, well.
Alexander Skwar
More information about the openssh-unix-dev
mailing list