Net Warrior wrote: > Well, this is the relevant part or the log, I could not post all the log cuz > it's too large and I get bouce. > Jan 13 17:51:48 netwarrior slapd[2307]: daemon: activity on 1 descriptor > Jan 13 17:51:48 netwarrior slapd[2307]: daemon: activity on: > Jan 13 17:51:48 netwarrior slapd[2307]: > Jan 13 17:51:48 netwarrior slapd[2307]: daemon: listen=7, new connection on > 13 > Jan 13 17:51:48 netwarrior slapd[2307]: daemon: added 13r > Jan 13 17:51:48 netwarrior slapd[2307]: conn=1 fd=13 ACCEPT from IP= > 172.16.4.120:52794 (IP=0.0.0.0:389) ... > Jan 13 17:51:55 netwarrior slapd[2307]: conn=3 op=1 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Jan 13 17:51:55 netwarrior sshd[2326]: error: PAM: Authentication failure > for hormiga from 172.16.4.100 > > I'm authenticating from 172.16.4.100 and not from 120 ... > Do not know why it says > ACCEPT from IP=172.16.4.120:52796 (IP=0.0.0.0:389) > Does this means that is accepting connections from that IP instead if .100?
Ok, now pam comes into play. You never mentioned you were connecting with ssh, so I my crystal ball made me believe you were directly connecting to slapd with a LDAP client. Now my crystal ball is working much better, so I'll try to make it as simple as possible. You connect with an ssh client from 172.16.4.100 to a sshd on 172.16.4.120. The sshd uses pam_ldap to auth on slapd, which is anywhere. So the LDAP connection is from the pam_ldap layer under the sshd, which is located on 172.16.4.120, and slapd sees the LDAP connection coming from 172.16.4.120. Simple enough? Perhaps, since you trust so much ACLs by IP, you should at least know what path your connections follow. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] --------------------------------------- --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
