Dealing with disabled/expired user account authentication
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Dealing with disabled/expired user account authentication
- From: Vinay Kalkoti <kalkoti.vinay [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Dealing with disabled/expired user account authentication
- Date: Wed, 16 Feb 2011 11:33:34 +0530
Hi,
I configured nss-pam-ldapd to authenticate with my active directory server.
If the user account is disabled/expired on the Active Directory
server, I see that user authentication fails.
nslcd: [272110] DEBUG: ldap_simple_bind_s("CN=xx,DC=xx,DC=COM","***")
(uri="ldaps://xx.xx.xx.xx:636")
nslcd: [272110] DEBUG: failed to bind to LDAP server
ldaps://xx.xx.xx.xx:636: Invalid credentials
nslcd: [272110] DEBUG: ldap_unbind()
nslcd: [272110] lookup of user CN=xx,DC=xx,DC=COM failed: Invalid credentials
nslcd: [04a8af] DEBUG: connection from pid=5746 uid=0 gid=0
nslcd: [04a8af] DEBUG: nslcd_shadow_byname(xx)
nslcd: [04a8af] DEBUG: myldap_search(base="dc=xx,dc=COM",
filter="(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=xx))")
>From the logs I see that nss-pam-ldapd is doing a bind with the user
account and it fails.
If I enable the user account, the user authentication succeeds.
Is this behavior configured by the server configuration. When I used
OpenLDAP, I had to set the filters explicitly for the mapped
principal. I am not sure if OpenLDAP does a bind with the user account
that is used for authentication.
It would be good if someone throws light on how this works.
Thanks,
Vinay
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
- Dealing with disabled/expired user account authentication,
Vinay Kalkoti
