pam_ldap 连不上openldap？能否帮忙看看openldap的日志？

cznao

在做vsftpd + pam_ldap + openldap
我的pam配置/etc/ldap.conf: 本地帐号登陆成功vsftpd,但是用ldap里的数据不成功？

我手工导入了一个 dn（以下），登陆ftp的时候就用这个cc用户名登陆，用这个userpassword：123456
登陆，这样能登陆成功vsftpd吗？

2楼是我的openldap的日志？


ldapadd -x -D 'cn=root,dc=it,dc=com' -W
dn: uid=cc,dc=it,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: cc
cn: cc
sn: cc
userPassword:: 123456
telephoneNumber: 138888888
description: openldap test
telexNumber: tex-888888
street: my street
postOfficeBox: postofficebox
displayName: qqdisplay
homePhone: home1111111
mobile: mobile99999

vsftpd 配置文件 /etc/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
guest_enable=YES
guest_username=vsftpdguest
listen=YES
chroot_local_user=YES
pam_service_name=ftp


我的pam配置/etc/pam.d/ftp:
#%PAM-1.0
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
account    sufficient   /lib/security/pam_ldap.so
password   sufficient   /lib/security/pam_ldap.so

auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_shells.so
account    required     /lib/security/pam_pwdb.so
session    required     /lib/security/pam_pwdb.so

pam_ldap 配置文件 /etc/ldap.conf

[# @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

host 127.0.0.1

# The distinguished name of the search base.
base dc=it,dc=com
binddn cn=root,dc=it,dc=com
bindpw secret
scope sub
pam_password crypt
ssl no
pam_filter objectclass=*


openldap 创建参考 openldap的安装笔记，请大家多点关注ldap技术。
openldap配置文件 /usr/local/openldap/etc/openldap/slapd.conf：
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/corba.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap/etc/openldap/schema/misc.schema
include         /usr/local/openldap/etc/openldap/schema/openldap.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/openldap/var/run/slapd.pid
argsfile        /usr/local/openldap/var/run/slapd.args
loglevel 1

# Load dynamic backend modules:
# modulepath    /usr/local/openldap/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read"
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=it,dc=com"
rootdn          "cn=root,dc=it,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/openldap/var/openldap-data
# Indices to maintain
index   objectClass     eq

[ 本帖最后由 cznao 于 2006-3-31 16:25 编辑 ]

cznao

有人看得懂openldap的日志吗，这是我的日志？
[root@localhost pam.d]#  tail -50 /var/log/ldap.log
Mar 31 15:10:25 localhost slapd[1876]: >>> dnPrettyNormal: <cn=root,dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: <<< dnPrettyNormal: <cn=root,dc=it,dc=com>, <cn=root,dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: do_bind: version=3 dn="cn=root,dc=it,dc=com" method=128
Mar 31 15:10:25 localhost slapd[1876]: do_bind: v3 bind: "cn=root,dc=it,dc=com" to "cn=root,dc=it,dc=com"
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_result: conn=53 op=0 p=3
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_response: msgid=1 tag=97 err=0
Mar 31 15:10:25 localhost slapd[1876]: connection_get(10): got connid=53
Mar 31 15:10:25 localhost slapd[1876]: connection_read(10): checking for input on id=53
Mar 31 15:10:25 localhost slapd[1876]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
Mar 31 15:10:25 localhost slapd[1876]: do_search
Mar 31 15:10:25 localhost slapd[1876]: >>> dnPrettyNormal: <dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: <<< dnPrettyNormal: <dc=it,dc=com>, <dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: => bdb_search
Mar 31 15:10:25 localhost slapd[1876]: bdb_dn2entry("dc=it,dc=com"
Mar 31 15:10:25 localhost slapd[1876]: search_candidates: base="dc=it,dc=com" (0x00000001) scope=2
Mar 31 15:10:25 localhost slapd[1876]: => bdb_dn2idl("dc=it,dc=com"
Mar 31 15:10:25 localhost slapd[1876]: => bdb_equality_candidates (objectClass)
Mar 31 15:10:25 localhost slapd[1876]: => key_read
Mar 31 15:10:25 localhost slapd[1876]: <= bdb_index_read: failed (-30989)
Mar 31 15:10:25 localhost slapd[1876]: <= bdb_equality_candidates: id=0, first=0, last=0
Mar 31 15:10:25 localhost slapd[1876]: => bdb_presence_candidates (objectClass)
Mar 31 15:10:25 localhost slapd[1876]: => bdb_presence_candidates (objectClass)
Mar 31 15:10:25 localhost slapd[1876]: => bdb_equality_candidates (uid)
Mar 31 15:10:25 localhost slapd[1876]: <= bdb_equality_candidates: (uid) index_param failed (1
Mar 31 15:10:25 localhost slapd[1876]: bdb_search_candidates: id=-1 first=1 last=5
Mar 31 15:10:25 localhost slapd[1876]: bdb_search: 1 does not match filter
Mar 31 15:10:25 localhost slapd[1876]: bdb_search: 2 does not match filter
Mar 31 15:10:25 localhost slapd[1876]: => send_search_entry: conn 53 dn="uid=cc,dc=it,dc=com"
Mar 31 15:10:25 localhost slapd[1876]: <= send_search_entry: conn 53 exit.
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_result: conn=53 op=1 p=3
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_response: msgid=2 tag=101 err=0
Mar 31 15:10:25 localhost slapd[1876]: connection_get(10): got connid=53
Mar 31 15:10:25 localhost slapd[1876]: connection_read(10): checking for input on id=53
Mar 31 15:10:25 localhost slapd[1876]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
Mar 31 15:10:25 localhost slapd[1876]: do_bind
Mar 31 15:10:25 localhost slapd[1876]: >>> dnPrettyNormal: <cn=root,dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: <<< dnPrettyNormal: <cn=root,dc=it,dc=com>, <cn=root,dc=it,dc=com>
Mar 31 15:10:25 localhost slapd[1876]: do_bind: version=3 dn="cn=root,dc=it,dc=com" method=128
Mar 31 15:10:25 localhost slapd[1876]: do_bind: v3 bind: "cn=root,dc=it,dc=com" to "cn=root,dc=it,dc=com"
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_result: conn=53 op=2 p=3
Mar 31 15:10:25 localhost slapd[1876]: send_ldap_response: msgid=3 tag=97 err=0
Mar 31 15:10:26 localhost slapd[1876]: connection_get(10): got connid=53
Mar 31 15:10:26 localhost slapd[1876]: connection_read(10): checking for input on id=53
Mar 31 15:10:26 localhost slapd[1876]: ber_get_next on fd 10 failed errno=0 (Success)
Mar 31 15:10:26 localhost slapd[1876]: connection_read(10): input error=-2 id=53, closing.
Mar 31 15:10:26 localhost slapd[1876]: connection_closing: readying conn=53 sd=10 for close
Mar 31 15:10:26 localhost slapd[1876]: connection_close: deferring conn=53 sd=10
Mar 31 15:10:26 localhost slapd[1876]: do_unbind
Mar 31 15:10:26 localhost slapd[1876]: connection_resched: attempting closing conn=53 sd=10
Mar 31 15:10:26 localhost slapd[1876]: connection_close: conn=53 sd=10

[ 本帖最后由 cznao 于 2006-3-31 16:18 编辑 ]