lists.arthurdejong.org
RSS feed

Re: Newbie - user authentication failing.

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Newbie - user authentication failing.



On Thu, 2011-02-10 at 13:25 +0530, Vinay Kalkoti wrote:
> I also wanted a confirmation that I can set the home directory path
> to /home/$uid even if the home directory attribute is set to a
> different path (like /users/unix) on the directory server.

When using
  map passwd homeDirectory "/home/$uid"
nslcd should not request the homeDirectory attribute from LDAP at all
and only use the uid attribute.

> Another question I had was, should I still configure openldap client
> for nss-pam-ldapd ?. I am using SLES (10, sp2) and my openldap
> configuration file is /etc/openldap/ldap.conf

The configuration of nslcd is completely separate from other LDAP tools.
The main reason for this is that things can break quite subtly with
conflicting configuration options. In most cases it is a good idea to
keep the basic settings in sync though to avoid typing when doing
ldapsearch from the command line.

> I need to configure it against both LDAP servers and Active Directory
> servers.

You can configure multiple servers but they are expected to be copies
used for fail-over. If all servers serve the same information you should
be fine.

If you have different data on servers you may be able to do some tricks
with referrals but authentication does not work as expected then.

> I have started with LDAP server and I have set the configurations in
> /etc/nslcd.conf
> 
> - uri ldap://<ip>
> - base    dc=example,dc=comp,dc=com
> - binddn cn=Administrator,dc=example,dc=comp,dc=com
> - bindpw secret
> - scope sub

For normal operation nss-pam-ldapd does not need administrative access
to your LDAP server. It only needs to be able to read the needed
attributes. It only does write operations when changing passwords and
that should either use the logged-in user's credentials or the
rootpwmoddn credentials.

> If I try "su - test_user', it just throws me an error "su: user
> test_user does not exist, where test_user is from an ldap server and
> 'getent passwd' lists it.

It depends on how your PAM stack is set up how this works. For some
set-ups you need to also provide shadow information via NSS (otherwise
pam_unix blocks the user). Also, for this nscd can cause problems (as
pointed out by Ryan). When testing at least you should disable it.

For production, if you need caching you could have a look at unscd. It
is supposed to be a lot more stable and I've been using it a while now
without any issues (but I never had many issues with nscd).

> If I try ssh with the user account, I see that nslcd is trying the
> same user account for binding.
> 
> nslcd: [b127f8] DEBUG: 
> ldap_simple_bind_s("uid=test_user,dc=example,dc=comp,dc=com","***") 
> (uri="ldap://1<ip>")
> nslcd: [b127f8] DEBUG: failed to bind to LDAP server ldap://<ip>: Invalid 
> credentials
> nslcd: [b127f8] DEBUG: ldap_unbind()
> nslcd: [b127f8] lookup of user uid=test_user,dc=example,dc=comp,dc=com 
> failed: Invalid credentials

Your LDAP server should allow simple authentication and allow it to
search for it's own entry. The following should work for authentication
to succeed:

ldapsearch -x -W -H ldap://<ip> \
  -D 'uid=test_user,dc=example,dc=comp,dc=com' \
  -b 'uid=test_user,dc=example,dc=comp,dc=com' \
  '(uid=test_user)' uid

(this is more or less what nslcd does to test authentication)

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users