Re: ldap authentication broken after switch to nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Holger Foersterling <holger [at] uwm.edu>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: ldap authentication broken after switch to nss-pam-ldapd
Date: Mon, 27 Jan 2014 14:06:34 -0600

On 01/25/2014 07:11 AM, Arthur de Jong wrote:

On Fri, 2014-01-24 at 22:47 -0600, Holger Foersterling wrote:

With pam_ldap I was using a combination of NIS and LDAP for user
authentication and authorization:

Interesting configuration but it is supposed to work.

I noticed then searching that most people use LDAP to replace NIS,rather than to work with it. But my setup evolved from an all SGIconfiguration.And an all LDAP spolution would still require to define two separateLDAP servers, one for user information and one for passwords.And I am actually surprised that the subgroup as part of a largerorganization is not more common than it looks.

Attempting to log into an account with passwordd on the LDAP server
gives me the following output:
/var/log/messages
Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username">ldap_result() failed: Can't contact LDAP server
You can run nslcd in debug mode (with the -d option) to get more output
of what happens when an authentication attempt comes in.

Can't contact LDAP server usually means just that but it is a bit weird
that it happens after ldap_result(). nslcd will try to translate the
username to an LDAP DN first, then try authentication and then do
another search to double check that the authentication was successful.
/var/log/secure
Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure;logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=usernameJan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication;user=usernameJan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled bynslcd
This seems to indicate that the first search failed. The debug output
could confirm that and point more specifically where the cause of the
problem is.

Running debug mode :
systemctl stop nscd
systemctl stop nslcd
nslcd -d

Output upon startup of nslcd:  One error, but I think it is not significant
nslcd: DEBUG: add_uri(ldap://ldap.uwm.edu)

nslcd: DEBUG:ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")

nslcd: version 0.8.13 starting

nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): Nosuch file or directory

nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections

Output when doing a "su ldapuser (user defined on my NID master, butwith password to be obtaind from LDAP):

nslcd: [8b4567] DEBUG: connection from pid=18551 uid=0 gid=101

nslcd: [8b4567] <authc="holger"> DEBUG:nslcd_pam_authc("holger","su","***")nslcd: [8b4567] <authc="holger"> DEBUG:myldap_search(base="ou=people,o=uwm.edu",filter="(&(objectClass=posixAccount)(uid=holger))")nslcd: [8b4567] <authc="holger"> DEBUG:ldap_initialize(ldap://ldap.uwm.edu)

nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_TIMELIMIT,30)nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_TIMEOUT,30)nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)nslcd: [8b4567] <authc="holger"> DEBUG:ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <authc="holger"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <authc="holger"> DEBUG: set_socket_timeout(30,500000)

nslcd: [8b4567] <authc="holger"> DEBUG: ldap_simple_bind_s(NULL,NULL)(uri="ldap://ldap.uwm.edu";)nslcd: [8b4567] <authc="holger"> DEBUG: ldap_result(): end of results (0total)nslcd: [8b4567] <authc="holger"> DEBUG: "holger": user not found: Nosuch object

It looks like it is connecting, but not finding the user. I know anldapsearch command with "(uid=ldapuser)" without giving an object Classworks fine.I am not sure whether the objectClass posixAccount exists on the server,so far it was not needed to specify anything as all I am trying is toconfirm existence of the user and verifying the password. Is thatsomething I set with the map or filter options ?

Configuration files:
/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.uwm.edu
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON onURI ldap://ldap.uwm.edu
BASE ou=people,o=uwm.edu


/etc/nslcd.conf:
uid nslcd
gid ldap
uri ldap://ldap.uwm.edu
base ou=people,o=uwm.edu
ssl start_tls
tls_cacertdir /etc/openldap/cacerts

You may need to use the sasl_canonicalize option (available since
nss-pam-ldpad 0.8.11).

With ldapsearch I need to use the -x option for simple authentication asI never got it to work with sasl. But from above debug output it looksthat this is correctly done.



--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

ldap authentication broken after switch to nss-pam-ldapd, Holger Foersterling
- Re: ldap authentication broken after switch to nss-pam-ldapd, Arthur de Jong
  - Re: ldap authentication broken after switch to nss-pam-ldapd, Holger Foersterling

Prev by Date: Re: both nscd and nslcd needed?
Next by Date: Re: ldap authentication broken after switch to nss-pam-ldapd
Previous by thread: Re: ldap authentication broken after switch to nss-pam-ldapd
Next by thread: Re: ldap authentication broken after switch to nss-pam-ldapd