Re: ldap authentication broken after switch to nss-pam-ldapd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: ldap authentication broken after switch to nss-pam-ldapd
- From: Holger Foersterling <holger [at] uwm.edu>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: ldap authentication broken after switch to nss-pam-ldapd
- Date: Mon, 27 Jan 2014 14:06:34 -0600
On 01/25/2014 07:11 AM, Arthur de Jong wrote:
On Fri, 2014-01-24 at 22:47 -0600, Holger Foersterling wrote:
With pam_ldap I was using a combination of NIS and LDAP for user
authentication and authorization:
Interesting configuration but it is supposed to work.
I noticed then searching that most people use LDAP to replace NIS,
rather than to work with it. But my setup evolved from an all SGI
configuration.
And an all LDAP spolution would still require to define two separate
LDAP servers, one for user information and one for passwords.
And I am actually surprised that the subgroup as part of a larger
organization is not more common than it looks.
Attempting to log into an account with passwordd on the LDAP server
gives me the following output:
/var/log/messages
Jan 23 15:49:58 marvin nslcd[3893]: [16231b] <authc="username">
ldap_result() failed: Can't contact LDAP server
You can run nslcd in debug mode (with the -d option) to get more output
of what happens when an authentication attempt comes in.
Can't contact LDAP server usually means just that but it is a bit weird
that it happens after ldap_result(). nslcd will try to translate the
username to an LDAP DN first, then try authentication and then do
another search to double check that the authentication was successful.
/var/log/secure
Jan 23 15:57:04 marvin su: pam_unix(su:auth): authentication failure;
logname=hf uid=38123 euid=0 tty=pts/2 ruser=hf rhost= user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): nslcd authentication;
user=username
Jan 23 15:57:04 marvin su: pam_ldap(su:auth): username not handled by
nslcd
This seems to indicate that the first search failed. The debug output
could confirm that and point more specifically where the cause of the
problem is.
Running debug mode :
systemctl stop nscd
systemctl stop nslcd
nslcd -d
Output upon startup of nslcd: One error, but I think it is not significant
nslcd: DEBUG: add_uri(ldap://ldap.uwm.edu)
nslcd: DEBUG:
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
Output when doing a "su ldapuser (user defined on my NID master, but
with password to be obtaind from LDAP):
nslcd: [8b4567] DEBUG: connection from pid=18551 uid=0 gid=101
nslcd: [8b4567] <authc="holger"> DEBUG:
nslcd_pam_authc("holger","su","***")
nslcd: [8b4567] <authc="holger"> DEBUG:
myldap_search(base="ou=people,o=uwm.edu",
filter="(&(objectClass=posixAccount)(uid=holger))")
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_initialize(ldap://ldap.uwm.edu)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="holger"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_start_tls_s()
nslcd: [8b4567] <authc="holger"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://ldap.uwm.edu")
nslcd: [8b4567] <authc="holger"> DEBUG: ldap_result(): end of results (0
total)
nslcd: [8b4567] <authc="holger"> DEBUG: "holger": user not found: No
such object
It looks like it is connecting, but not finding the user. I know an
ldapsearch command with "(uid=ldapuser)" without giving an object Class
works fine.
I am not sure whether the objectClass posixAccount exists on the server,
so far it was not needed to specify anything as all I am trying is to
confirm existence of the user and verifying the password. Is that
something I set with the map or filter options ?
Configuration files:
/etc/openldap/ldap.conf:
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.uwm.edu
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON onURI ldap://ldap.uwm.edu
BASE ou=people,o=uwm.edu
/etc/nslcd.conf:
uid nslcd
gid ldap
uri ldap://ldap.uwm.edu
base ou=people,o=uwm.edu
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
You may need to use the sasl_canonicalize option (available since
nss-pam-ldpad 0.8.11).
With ldapsearch I need to use the -x option for simple authentication as
I never got it to work with sasl. But from above debug output it looks
that this is correctly done.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/