authentication puzzle

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Eneida Lima <limalax [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: authentication puzzle
Date: Thu, 06 Mar 2014 12:04:36 -0700

Hi,

I am told that we have 2 identical opends ldap servers. We set ourclients to connect to both of them. In case one is not available, itfails over to the other one. It works fine for all our machines runningredhat 5.X. I am setting up a new RHEL6.5 and I am using redhatdistribution of nss-pam-ldap (nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64).All worked well, including authentication and automount, when I setnslcd with the first server. I then tried the second server. It doeseverything, but authenticate through ssh. I ran nslcd in debug mode(nslcd -d) and the output is identical when connecting to both servers,but one authenticates and the other one does not. The server certificatefile, contains the certificate for both servers. I have switched themaround and it did not make any difference. I can 'su - username' usingthe second server, and it gets all atributes and automounts the correcthome directory from the file server. This is the only client that cannot authenticate with the second server.


Here is my nslcd.conf :

******
uri ldaps://opends2.example.com/ ldaps://opends1.example.com/

base dc=example,dc=com

uid nslcd
gid ldap

scope sub

ssl yes
tls_cacertfile /etc/openldap/certs/server_cert.pem
tls_reqcert allow
tls_cacertdir /etc/openldap/certs

filter passwd (objectClass=*)

base  group  ou=Groups,dc=example,dc=com
base  passwd ou=People,dc=example,dc=com
base  shadow ou=People,dc=example,dc=com
base hosts   ou=Hosts,dc=example,dc=com

map    passwd homeDirectory    "$exHomeDirectory"
map shadow userPassword userPassword

binddn cn=agent,ou=profile,dc=example,dc=com
bindpw Btwgfd87

bind_timelimit 30
******

On the server side, I see a difference on attrs. From the log file, thisis the search on the server that authenticates :

[06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2base="ou=People,dc=example,dc=com" scope=wholeSubtreefilter="(uid=jdoe)"attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"


and this is the one that does not authenticate :

[06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2base="ou=People,dc=example,dc=com" scope=wholeSubtreefilter="(&(objectClass=shadowAccount)(uid=jdoe))"attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"

They say the ldap servers are identical and all other clientsauthenticate correctly... so it should be on the client side. What doyou say ? Any idea what might be going on ?


Thank you,

Mary

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

authentication puzzle, Eneida Lima

Re: authentication puzzle, Arthur de Jong
Re: authentication puzzle, Eneida Lima
- Re: authentication puzzle, Arthur de Jong
  - Re: authentication puzzle, Nalin Dahyabhai

Prev by Date: FYI: unscd savings measurement
Next by Date: Object class mapping
Previous by thread: FYI: unscd savings measurement
Next by thread: Re: authentication puzzle