RSS feed

authentication puzzle

[Date Prev][Date Next] [Thread Prev][Thread Next]

authentication puzzle


I am told that we have 2 identical opends ldap servers. We set our clients to connect to both of them. In case one is not available, it fails over to the other one. It works fine for all our machines running redhat 5.X. I am setting up a new RHEL6.5 and I am using redhat distribution of nss-pam-ldap (nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64). All worked well, including authentication and automount, when I set nslcd with the first server. I then tried the second server. It does everything, but authenticate through ssh. I ran nslcd in debug mode (nslcd -d) and the output is identical when connecting to both servers, but one authenticates and the other one does not. The server certificate file, contains the certificate for both servers. I have switched them around and it did not make any difference. I can 'su - username' using the second server, and it gets all atributes and automounts the correct home directory from the file server. This is the only client that can not authenticate with the second server.

Here is my nslcd.conf :

uri ldaps:// ldaps://

base dc=example,dc=com

uid nslcd
gid ldap

scope sub

ssl yes
tls_cacertfile /etc/openldap/certs/server_cert.pem
tls_reqcert allow
tls_cacertdir /etc/openldap/certs

filter passwd (objectClass=*)

base  group  ou=Groups,dc=example,dc=com
base  passwd ou=People,dc=example,dc=com
base  shadow ou=People,dc=example,dc=com
base hosts   ou=Hosts,dc=example,dc=com

map    passwd homeDirectory    "$exHomeDirectory"
map shadow userPassword userPassword

binddn cn=agent,ou=profile,dc=example,dc=com
bindpw Btwgfd87

bind_timelimit 30

On the server side, I see a difference on attrs. From the log file, this is the search on the server that authenticates :

[06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(uid=jdoe)" attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"

and this is the one that does not authenticate :

[06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2 base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(&(objectClass=shadowAccount)(uid=jdoe))" attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"

They say the ldap servers are identical and all other clients authenticate correctly... so it should be on the client side. What do you say ? Any idea what might be going on ?

Thank you,


To unsubscribe send an email to or see