LDAP referral, binding -> invalid credentials

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Valentin Mann <valentin.mann [at] googlemail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: LDAP referral, binding -> invalid credentials
Date: Mon, 12 Jul 2010 20:43:01 +0200

Hello,

I have a problem with LDAP referrals and nss-pam-ldapd. I'm working
with Ubuntu lucid 10.04, but I don't think it's related to that
specific version or to Ubuntu.

I have two LDAP servers (ldapserver1 and ldapserver2) in a
decentralized LDAP configuration. Some users exist in the LDAP
database located on the first server, others in the database located
on the second. Therefore I configured a referral, pointing from the
first database to the second (LDAP V3, in the People subtree of the
first database on ldapserver1; hence no global referal in cn=config):

dn: ou=Test,ou=People,dc=subdomain,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
dc: subtree
ref: ldap://ldapserver2/dc=subdomain,dc=example,dc=com

Users found in either LDAP database shall be able to login to all the
computers that use nss-pam-ldapd. In /etc/ldap.conf, LDAP server
"ldapserver1" is configured. The idea is that with the referral, users
on ldapserver2 should be found.

To me, it seems that this configuration works, what I deduce from ldapsearch:

~~~~~~~~~~~

ldapuser@ldapserver1:~$ ldapsearch -x uid=ldapuser -LLL
# refldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub

ldapuser@ldapserver1:~$ ldapsearch -Cx uid=ldapuser -LLL
# refldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub

dn: uid=ldapuser,ou=Staff,ou=People,dc=subdomain,dc=example,dc=com
cn: The Realname
gecos: The Realname
gidNumber: 12300
homeDirectory: /home/ldapuser
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
shadowLastChange: xxxxx
sn: Realname
uid: ldapuser
uidNumber: 12345

~~~~~~~~~~~

getent seems to work fine, too:

ldapuser@ldapserver1:~$ getent passwd ldapuser
ldapuser:x:12345:12300:The Realname:/home/ldapuser:/bin/bash

~~~~~~~~~~~

But -- authentication as user "ldapuser" -- which exists on
ldapserver2 only -- fails:

~~~~~~~~~~~

ldapuser@ldapserver1:~$ su ldapuser
Password:
su: Authentication failure

~~~~~~~~~~~

The log of nslcd looks as follows:

~~~~~~~~~~~

ldapuser@ldapserver1:~$ sudo nslcd -d
nslcd: DEBUG: add_uri(ldap://ldapserver1.example.com)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: DEBUG: 
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/ca-certificates.crt")
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(125) done
nslcd: DEBUG: setuid(119) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=32206 uid=0 gid=12300
nslcd: [8b4567] DEBUG: nslcd_shadow_byname(ldapuser)
nslcd: [8b4567] DEBUG:
myldap_search(base="dc=subdomain,dc=example,dc=com",
filter="(&(objectClass=shadowAccount)(uid=ldapuser))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldapserver1.example.com)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_start_tls_s()
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://ldapserver1.example.com")
nslcd: [8b4567] connected to LDAP server ldap://ldapserver1.example.com
nslcd: [8b4567] DEBUG: rebinding to
ldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub
nslcd: [8b4567] DEBUG: ldap_start_tls_s()
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=32206 uid=0 gid=12300
nslcd: [7b23c6] DEBUG: nslcd_pam_authc("ldapuser","","su","***")
nslcd: [7b23c6] DEBUG:
myldap_search(base="dc=subdomain,dc=example,dc=com",
filter="(&(objectClass=posixAccount)(uid=ldapuser))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://ldapserver1.example.com)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_start_tls_s()
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://ldapserver1.example.com")
nslcd: [7b23c6] connected to LDAP server ldap://ldapserver1.example.com
nslcd: [7b23c6] DEBUG: rebinding to
ldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub
nslcd: [7b23c6] DEBUG: ldap_start_tls_s()
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://ldapserver2.example.com/dc=subdomain,dc=example,dc=com??sub")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldap://ldapserver1.example.com)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_start_tls_s()
nslcd: [7b23c6] DEBUG:
ldap_simple_bind_s("uid=ldapuser,ou=Staff,ou=People,dc=subdomain,dc=example,dc=com","*****")
(uri="ldap://ldapserver1.example.com")
nslcd: [7b23c6] failed to bind to LDAP server
ldap://ldapserver1.example.com: Invalid credentials: Success

~~~~~~~~~~~

It seems to me that the binding fails because it binds to ldapserver1,
where "ldapuser" does not exist. It only exists on ldapserver2. It
might be that I misunderstand LDAP here.

Do you have some hints on that? What am I doing wrong? I would be glad
if I could provide you with further information ... but for the first
mail, I wanted to keep it as short as possible.

Any help would be greatly appreciated. Thanks a lot!

Regards,

Valentin
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

LDAP referral, binding -> invalid credentials, Valentin Mann

Re: LDAP referral, binding -> invalid credentials, Arthur de Jong
- Message not available
  - Message not available
    - Message not available
      - Re: LDAP referral, binding -> invalid credentials, Valentin Mann
        
        Re: LDAP referral, binding -> invalid credentials, Arthur de Jong

Prev by Date: Re: Losing users & groups from Active Directory 2008r2
Next by Date: Re: LDAP referral, binding -> invalid credentials
Previous by thread: Re: Losing users & groups from Active Directory 2008r2
Next by thread: Re: LDAP referral, binding -> invalid credentials