lists.arthurdejong.org
RSS feed

Re: User Authentication with nslcd 0.8.13

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: User Authentication with nslcd 0.8.13



On Mon, 2013-08-05 at 16:59 -0500, Priya Seshaadri wrote:
> I am trying user authentication with LDAP with nss-pam-ldapd on an
> arm-based client. The LDAP server is all set up. I tried querying the
> server from the client using ldapsearch and it returns the entries
> correctly. However logging in to the client doesn't work. Has anybody
> faced this problem before? i'm using nss-pam-ldapd version 0.8.13.
> 
> 
> Here's what I got when I ran nslcd in debug mode:
> --------------------------------------------------------------------------------------
> $ arm-linux-nslcd -d
[...]
> nslcd: [8b4567] <protocol="ip"> DEBUG: ldap_result(): end of results (0 total)

While you could add ldap to protocols in /etc/nsswitch.conf (it is
supported) there is almost never a good reason for it. Also, you should
generally put ldap after files.

> nslcd: [3c9869] <host=192.168.11.3> DEBUG: ldap_result(): end of results (0 
> total)

Same is true for hosts (unless you have host name information in LDAP).
For LDAP authentication it is sufficient to add ldap to passwd, shadow
and group lines in /etc/nsswitch.conf.

> nslcd: [334873] <passwd="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [b0dc51] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [495cff] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [e8944a] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [5558ec] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [8e1f29] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)
> nslcd: [e87ccd] <shadow="priyas"> DEBUG: ldap_result(): end of results (1 
> total)

The above shows username and shadow information lookups. I you have
configured nslcd and the LDAP server to expose password hashes (not
really recommended) this could be sufficient.

If you want this the output of
  getent shadow priyas
should be something like:
  arthur:{crypt}dfjsdjkfnsdkf:15413:::7:2::0

On the other hand, you probably want to use a PAM module that uses LDAP
for authentication. nss-pam-ldapd also includes a PAM module. You can
use the PAM module by editing files under /etc/pam.d. Details on this
depend on how you installed the PAM module and your distribution.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/