RSS feed

Re: ldap authentication broken after switch to nss-pam-ldapd

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: ldap authentication broken after switch to nss-pam-ldapd

On 01/25/2014 07:11 AM, Arthur de Jong wrote:
On Fri, 2014-01-24 at 22:47 -0600, Holger Foersterling wrote:
With pam_ldap I was using a combination of NIS and LDAP for user
authentication and authorization:
Interesting configuration but it is supposed to work.
I noticed then searching that most people use LDAP to replace NIS, rather than to work with it. But my setup evolved from an all SGI configuration. And an all LDAP spolution would still require to define two separate LDAP servers, one for user information and one for passwords. And I am actually surprised that the subgroup as part of a larger organization is not more common than it looks.

Attempting to log into an account with passwordd on the LDAP server
gives me the following output:
Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username"> ldap_result() failed: Can't contact LDAP server
You can run nslcd in debug mode (with the -d option) to get more output
of what happens when an authentication attempt comes in.

Can't contact LDAP server usually means just that but it is a bit weird
that it happens after ldap_result(). nslcd will try to translate the
username to an LDAP DN first, then try authentication and then do
another search to double check that the authentication was successful.

Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure; logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=username Jan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication; user=username Jan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled by nslcd
This seems to indicate that the first search failed. The debug output
could confirm that and point more specifically where the cause of the
problem is.
Running debug mode :
systemctl stop nscd
systemctl stop nslcd
nslcd -d

Output upon startup of nslcd:  One error, but I think it is not significant
nslcd: DEBUG: add_uri(ldap://
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections

Output when doing a "su ldapuser (user defined on my NID master, but with password to be obtaind from LDAP):
nslcd: [8b4567] DEBUG: connection from pid=18551 uid=0 gid=101
nslcd: [8b4567] <authc="holger"> DEBUG: nslcd_pam_authc("holger","su","***") nslcd: [8b4567] <authc="holger"> DEBUG: myldap_search(base="ou=people,", filter="(&(objectClass=posixAccount)(uid=holger))") nslcd: [8b4567] <authc="holger"> DEBUG: ldap_initialize(ldap://
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30) nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30) nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30) nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <authc="holger"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://";) nslcd: [8b4567] <authc="holger"> DEBUG: ldap_result(): end of results (0 total) nslcd: [8b4567] <authc="holger"> DEBUG: "holger": user not found: No such object

It looks like it is connecting, but not finding the user. I know an ldapsearch command with "(uid=ldapuser)" without giving an object Class works fine. I am not sure whether the objectClass posixAccount exists on the server, so far it was not needed to specify anything as all I am trying is to confirm existence of the user and verifying the password. Is that something I set with the map or filter options ?

Configuration files:
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://
# Turning this off breaks GSSAPI used with krb5 when rdns = false
BASE ou=people,

uid nslcd
gid ldap
uri ldap://
base ou=people,
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
You may need to use the sasl_canonicalize option (available since
nss-pam-ldpad 0.8.11).
With ldapsearch I need to use the -x option for simple authentication as I never got it to work with sasl. But from above debug output it looks that this is correctly done.

To unsubscribe send an email to or see