lists.arthurdejong.org
RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem



Le 27/10/2013 13:14, Arthur de Jong a écrit :

> This looks like a valid shadow hash for /etc/shadow but the used 
> hash could be a problem for a value of userPassword that slapd 
> would be able to use for authentication. That would explain why 
> nslcd can't authenticate to slapd.

I understand that I have to change the way the password are stored on
the slapd server.
I have tried to change from crypt to ssha, now when I make

getent shadow lena

I get

lena:{SSHA}renpwB8SX7LuxjLTgb+L8BWOfzhJTmEyZmNlR1JJTHJRNXlo:14855::99999::::0

but the su also failed

slapd debug messages

conn=1003 op=5 SRCH base="ou=People,dc=kervao,dc=fr" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=lena))"
conn=1003 op=5 SRCH attr=loginShell cn gidNumber uidNumber objectClass
homeDirectory gecos uid
<= bdb_equality_candidates: (uid) not indexed
conn=1003 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1006 fd=19 ACCEPT from IP=192.168.0.27:58615 (IP=0.0.0.0:389)
conn=1006 op=0 BIND dn="cn=Manager,dc=kervao,dc=fr" method=128
conn=1006 op=0 BIND dn="cn=Manager,dc=kervao,dc=fr" mech=SIMPLE ssf=0
conn=1006 op=0 RESULT tag=97 err=0 text=
conn=1006 op=1 SRCH base="ou=People,dc=kervao,dc=fr" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=lena))"
conn=1006 op=1 SRCH attr=shadowExpire shadowInactive userPassword
shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax
<= bdb_equality_candidates: (uid) not indexed
conn=1006 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1000 op=4 SRCH base="ou=People,dc=kervao,dc=fr" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=lena))"
conn=1000 op=4 SRCH attr=uid uidNumber
<= bdb_equality_candidates: (uid) not indexed
conn=1000 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1007 fd=20 ACCEPT from IP=192.168.0.27:58616 (IP=0.0.0.0:389)
conn=1007 op=0 BIND dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
conn=1007 op=0 RESULT tag=97 err=49 text=
conn=1007 op=1 UNBIND
conn=1000 op=5 SRCH base="ou=People,dc=kervao,dc=fr" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=lena))"
conn=1000 op=5 SRCH attr=shadowExpire shadowInactive userPassword
shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax
conn=1007 fd=20 closed
<= bdb_equality_candidates: (uid) not indexed
conn=1000 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1000 op=6 ABANDON msg=6

and nslcd debug message

nslcd: [68079a] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: [68079a] <passwd="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=posixAccount)(uid=lena))")
nslcd: [68079a] <passwd="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [68079a] <passwd="lena"> DEBUG: ldap_result(): end of results
(1 total)
nslcd: [6afb66] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: [6afb66] <passwd="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=posixAccount)(uid=lena))")
nslcd: [6afb66] <passwd="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [6afb66] <passwd="lena"> DEBUG: ldap_result(): end of results
(1 total)
nslcd: [e45d32] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [e45d32] <shadow="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=shadowAccount)(uid=lena))")
nslcd: [e45d32] <shadow="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [e45d32] <shadow="lena"> DEBUG: ldap_result(): end of results
(1 total)
nslcd: [9b500d] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: [9b500d] <passwd="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=posixAccount)(uid=lena))")
nslcd: [9b500d] <passwd="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [9b500d] <passwd="lena"> DEBUG: ldap_result(): end of results
(1 total)
nslcd: [1bd7b7] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=shadowAccount)(uid=lena))")
nslcd: [1bd7b7] <shadow="lena"> ldap_result() failed: Can't contact
LDAP server
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_abandon()
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_unbind()
nslcd: [1bd7b7] <shadow="lena"> DEBUG: myldap_get_entry(): retry search
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_initialize(ldap://192.168.0.9/)
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_set_rebind_proc()
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [1bd7b7] <shadow="lena"> DEBUG:
ldap_simple_bind_s("cn=Manager,dc=kervao,dc=fr","***")
(uri="ldap://192.168.0.9/";)
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [1bd7b7] <shadow="lena"> DEBUG: ldap_result(): end of results
(1 total)
nslcd: [2dba31] DEBUG: connection from pid=7745 uid=0 gid=5000
nslcd: [2dba31] <authc="lena"> DEBUG: nslcd_pam_authc("lena","su","***")
nslcd: [2dba31] <authc="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=posixAccount)(uid=lena))")
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr
nslcd: [2dba31] <authc="lena"> DEBUG:
myldap_search(base="uid=lena,ou=People,dc=kervao,dc=fr",
filter="(objectClass=*)")
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_initialize(ldap://192.168.0.9/)
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_set_rebind_proc()
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [2dba31] <authc="lena"> DEBUG:
ldap_simple_bind_s("uid=lena,ou=People,dc=kervao,dc=fr","***")
(uri="ldap://192.168.0.9/";)
nslcd: [2dba31] <authc="lena"> DEBUG: failed to bind to LDAP server
ldap://192.168.0.9/: Invalid credentials
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_unbind()
nslcd: [2dba31] <authc="lena"> uid=lena,ou=People,dc=kervao,dc=fr:
lookup failed: Invalid credentials
nslcd: [2dba31] <authc="lena"> DEBUG:
myldap_search(base="ou=People,dc=kervao,dc=fr",
filter="(&(objectClass=shadowAccount)(uid=lena))")
nslcd: [2dba31] <authc="lena"> DEBUG: ldap_result():
uid=lena,ou=People,dc=kervao,dc=fr

/etc/nslcd.conf

uid nslcd
gid nslcd
uri ldap://192.168.0.9/
base dc=kervao,dc=fr
binddn cn=Manager,dc=kervao,dc=fr
bindpw mot-de-passe
base  group  ou=Group,dc=kervao,dc=fr
base  passwd ou=People,dc=kervao,dc=fr
base  shadow ou=People,dc=kervao,dc=fr
map shadow userPassword userPassword

and no change on the slapd config file

Olivier
-- 
_______________________________
FUNIX - http://www.funix.org
Mettez un manchot dans votre PC
Page perso - http://olivier.hoarau.org
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/