lists.arthurdejong.org
RSS feed

Re: LDAP referral, binding -> invalid credentials

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: LDAP referral, binding -> invalid credentials



On Mon, 2010-07-12 at 20:43 +0200, Valentin Mann wrote:
> getent seems to work fine, too:
> 
> ldapuser@ldapserver1:~$ getent passwd ldapuser
> ldapuser:x:12345:12300:The Realname:/home/ldapuser:/bin/bash

I must say I have not tested the referrals functionality. Does
nss-pam-ldapd go back correctly to the first server if another NSS (e.g.
getent passwd) request is done and cannot be found on the second server?
Are referral objects needed on server2 to direct back to server1?

> But -- authentication as user "ldapuser" -- which exists on
> ldapserver2 only -- fails:
> 
> ldapuser@ldapserver1:~$ su ldapuser
> Password:
> su: Authentication failure

The BIND check also starts at the first server but does not get referred
to the second server (or perhaps the referral is done but not picked up
correctly).

> It seems to me that the binding fails because it binds to ldapserver1,
> where "ldapuser" does not exist. It only exists on ldapserver2. It
> might be that I misunderstand LDAP here.

I must say that I'm no export on all LDAP things myself and have never
used referrals.

I will investigate this further and see if there is a fix available for
this. Perhaps it is enough to do a user lookup first (which should end
up on the correct server) and rebind as the user after that. Currently a
separate connection is used for the bind check to not interfere with the
next thread which may re-use the connection.

Any ideas are welcome on this and patches are even better ;).

Anyway, thanks for reporting this and the level of detail of your report
is very much appreciated.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users