Re: ldap authentication broken after switch to nss-pam-ldapd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: ldap authentication broken after switch to nss-pam-ldapd
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: ldap authentication broken after switch to nss-pam-ldapd
- Date: Sat, 25 Jan 2014 14:11:14 +0100
On Fri, 2014-01-24 at 22:47 -0600, Holger Foersterling wrote:
> With pam_ldap I was using a combination of NIS and LDAP for user
> authentication and authorization:
Interesting configuration but it is supposed to work.
> Attempting to log into an account with passwordd on the LDAP server
> gives me the following output:
> /var/log/messages
> Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username"> ldap_result()
> failed: Can't contact LDAP server
You can run nslcd in debug mode (with the -d option) to get more output
of what happens when an authentication attempt comes in.
Can't contact LDAP server usually means just that but it is a bit weird
that it happens after ldap_result(). nslcd will try to translate the
username to an LDAP DN first, then try authentication and then do
another search to double check that the authentication was successful.
> /var/log/secure
> Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure;
> logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=username
> Jan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication;
> user=username
> Jan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled by nslcd
This seems to indicate that the first search failed. The debug output
could confirm that and point more specifically where the cause of the
problem is.
> Configuration files:
> /etc/openldap/ldap.conf:
> TLS_CACERTDIR /etc/openldap/cacerts
> URI ldap://ldap.uwm.edu
> # Turning this off breaks GSSAPI used with krb5 when rdns = false
> SASL_NOCANON onURI ldap://ldap.uwm.edu
> BASE ou=people,o=uwm.edu
>
>
> /etc/nslcd.conf:
> uid nslcd
> gid ldap
> uri ldap://ldap.uwm.edu
> base ou=people,o=uwm.edu
> ssl start_tls
> tls_cacertdir /etc/openldap/cacerts
You may need to use the sasl_canonicalize option (available since
nss-pam-ldpad 0.8.11).
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/