Re: authentication puzzle

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: authentication puzzle
Date: Sun, 09 Mar 2014 16:07:26 +0100

On Thu, 2014-03-06 at 12:04 -0700, Eneida Lima wrote:
> I then tried the second server. It does everything, but authenticate
> through ssh. I ran nslcd in debug mode (nslcd -d) and the output is
> identical when connecting to both servers, but one authenticates and
> the other one does not.

You have two LDAP servers: opends1 and opends2. It is not entirely clear
to me how your clients are organised, are these server 1 and server 2?

Is the problem related the authentication working on one LDAP server but
not on the other or working for one client and not the other?

> [06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2 
> base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(uid=jdoe)" 
> attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"

This does not look like a search that nslcd would perform. It could be
that PADL's pam_ldap does such a search (judging from the
authorizedService attribute).

> and this is the one that does not authenticate :
> 
> [06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2 
> base="ou=People,dc=example,dc=com" scope=wholeSubtree 
> filter="(&(objectClass=shadowAccount)(uid=jdoe))" 
> attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"

This looks like a query for shadow information for the specified user.
On login, pam_unix lookups result in such a search operation.

There are basically two ways to do LDAP authentication:

- use a LDAP PAM module (nss-pam-ldapd provides such a module)
- exposes password hashes through the shadow map

The first approach is recommended because it does not expose password
hashes to LDAP clients.

Some more information is available here:
  http://arthurdejong.org/nss-pam-ldapd/setup

On systems where authentication fails, providing output from nslcd -d
(output from an authentication failure), information from nsswitch.conf
and your PAM configuration are helpful.

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

authentication puzzle, Eneida Lima
- Re: authentication puzzle, Arthur de Jong
- Re: authentication puzzle, Eneida Lima
  - Re: authentication puzzle, Arthur de Jong
    - Re: authentication puzzle, Nalin Dahyabhai
  - Re: authentication puzzle, Tim Rice

Prev by Date: Re: Object class mapping
Next by Date: Re: authentication puzzle
Previous by thread: authentication puzzle
Next by thread: Re: authentication puzzle