Re: LDAP referral, binding -> invalid credentials
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: LDAP referral, binding -> invalid credentials
- From: Valentin Mann <valentin.mann [at] googlemail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: LDAP referral, binding -> invalid credentials
- Date: Mon, 26 Jul 2010 11:24:58 +0200
The last emails were not sent to the list, so if interested please refer to the quotation below. I tested again with PADL's pam_ldap, but it didn't work either. Most important lines in /etc/ldap.conf were the following: base dc=subdomain,dc=example,dc=com uri ldap://ldapserver1 #debug 10 referrals yes # did not change anything >From the debug output and with tcpdump, I could see that pam_ldap follows the referral to ldapserver2 anonymously, gets the respective user information of ldapuser, but tries to bind with that user to ldapserver1 then. I expected that it would bind to ldapserver2, where it found the user for accessing the password. This bug of pam_ldap has been reported already: http://bugzilla.padl.com/show_bug.cgi?id=357 http://bugs.gentoo.org/show_bug.cgi?id=199837 So unfortunately, the behavior of pam_ldap is similar to that of pam_ldapd, I think. Thank you again for your time! Valentin 2010/7/23 Arthur de Jong <arthur@arthurdejong.org>: > Sorry to not respond earlier. I have been doing some work on this but > without success so far. > > On Tue, 2010-07-13 at 00:09 +0200, Valentin Mann wrote: >> > Perhaps it is enough to do a user lookup first (which should end up >> > on the correct server) and rebind as the user after that. >> >> Yes, and then just use this server for the subsequent non-anonymous >> bind. That might do the trick ... > > It does not do the trick I'm afraid, at least not in my test set-up > (which is a bit limited). It also isn't easy to get the URL of a > returned user (as far as I know), perhaps someone else has more insights > in this? > > I've had a very brief look into how pam_ldap works but have not > identified anything special for this so far. Does PADL's pam_ldap work > with your set-up? > > Anyway, attached is a very rough patch of how far I got. I don't think I > have much time for this the coming couple of weeks though so if someone > is interested in this, please go a ahead.
Attachment:
nss-pam-ldapd-pam-rebind-try.patch
Description: Text Data
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users
- LDAP referral, binding -> invalid credentials,
Valentin Mann
- Re: LDAP referral, binding -> invalid credentials,
Arthur de Jong
- Message not available
- Message not available
- Message not available
- Re: LDAP referral, binding -> invalid credentials, Valentin Mann
- Re: LDAP referral, binding -> invalid credentials, Arthur de Jong
- Message not available
- Message not available
- Message not available
- Re: LDAP referral, binding -> invalid credentials,
Arthur de Jong
- Prev by Date: Re: Incorrect service port handling in nss/services.c
- Next by Date: Re: Incorrect service port handling in nss/services.c
- Previous by thread: Re: LDAP referral, binding -> invalid credentials
- Next by thread: Re: LDAP referral, binding -> invalid credentials