Re: authentication puzzle
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: authentication puzzle
- From: Eneida Lima <limalax [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: authentication puzzle
- Date: Tue, 11 Mar 2014 09:39:55 -0700
Arthur,
Here is the info :
1. /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files
2. /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_unix.so nullok use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
#account sufficient pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so crypt shadow nullok use_authtok
use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
#session optional pam_ldap.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
3. Output from 'nslcd -d' for an unsuccessful login:
nslcd: DEBUG: add_uri(ldaps://opends2.example.com/)
nslcd: DEBUG: add_uri(ldaps://opends1.example.com/)
nslcd: DEBUG:
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/openldap/certs/server_cert.pem")
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,3)
nslcd: DEBUG:
ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/certs")
nslcd: version 0.7.5 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No
such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=601 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_shadow_byname(jdoe)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=People,dc=example,dc=com",
filter="(&(objectClass=shadowAccount)(uid=jdoe))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://opends2.example.com/)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG:
ldap_simple_bind_s("cn=agent,ou=profile,dc=example,dc=com","***")
(uri="ldaps://opends2.example.com/")
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=601 uid=0 gid=0
nslcd: [7b23c6] DEBUG: nslcd_shadow_byname(jdoe)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=People,dc=example,dc=com",
filter="(&(objectClass=shadowAccount)(uid=jdoe))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://opends2.example.com/)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG:
ldap_simple_bind_s("cn=agent,ou=profile,dc=example,dc=com","***")
(uri="ldaps://opends2.example.com/")
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
4. output on the server side (opends2.example.com):
[11/Mar/2014:09:21:57 -0700] CONNECT conn=3974037
from=XXX.XXX.XXX.XXX:35097 to=YYY.YYY.YYY.YYY:636 protocol=LDAPS
[11/Mar/2014:09:21:57 -0700] BIND REQ conn=3974037 op=0 msgID=1
type=SIMPLE dn="cn=agent,ou=profile,dc=example,dc=com"
[11/Mar/2014:09:21:57 -0700] BIND RES conn=3974037 op=0 msgID=1 result=0
authDN="cn=agent,ou=profile,dc=example,dc=com" etime=0
[11/Mar/2014:09:21:57 -0700] SEARCH REQ conn=3974037 op=1 msgID=2
base="ou=People,dc=example,dc=com" scope=wholeSubtree
filter="(&(objectClass=shadowAccount)(uid=jdoe))"
attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"
[11/Mar/2014:09:21:57 -0700] SEARCH RES conn=3974037 op=1 msgID=2
result=0 nentries=1 etime=1
[11/Mar/2014:09:21:57 -0700] CONNECT conn=3974038
from=XXX.XXX.XXX.XXX:35102 to=YYY.YYY.YYY.YYY:636 protocol=LDAPS
[11/Mar/2014:09:21:57 -0700] BIND REQ conn=3974038 op=0 msgID=1
type=SIMPLE dn="cn=agent,ou=profile,dc=example,dc=com"
[11/Mar/2014:09:21:57 -0700] BIND RES conn=3974038 op=0 msgID=1 result=0
authDN="cn=agent,ou=profile,dc=example,dc=com" etime=1
[11/Mar/2014:09:21:57 -0700] SEARCH REQ conn=3974038 op=1 msgID=2
base="ou=People,dc=example,dc=com" scope=wholeSubtree
filter="(&(objectClass=shadowAccount)(uid=jdoe))"
attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"
[11/Mar/2014:09:21:57 -0700] SEARCH RES conn=3974038 op=1 msgID=2
result=0 nentries=1 etime=1
On the client side I have : Permission denied, please try again.
Thank you,
Eneida
On 3/6/14 12:04 PM, Eneida Lima wrote:
Hi,
I am told that we have 2 identical opends ldap servers. We set our
clients to connect to both of them. In case one is not available, it
fails over to the other one. It works fine for all our machines
running redhat 5.X. I am setting up a new RHEL6.5 and I am using
redhat distribution of nss-pam-ldap
(nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64). All worked well, including
authentication and automount, when I set nslcd with the first server.
I then tried the second server. It does everything, but authenticate
through ssh. I ran nslcd in debug mode (nslcd -d) and the output is
identical when connecting to both servers, but one authenticates and
the other one does not. The server certificate file, contains the
certificate for both servers. I have switched them around and it did
not make any difference. I can 'su - username' using the second
server, and it gets all atributes and automounts the correct home
directory from the file server. This is the only client that can not
authenticate with the second server.
Here is my nslcd.conf :
******
uri ldaps://opends2.example.com/ ldaps://opends1.example.com/
base dc=example,dc=com
uid nslcd
gid ldap
scope sub
ssl yes
tls_cacertfile /etc/openldap/certs/server_cert.pem
tls_reqcert allow
tls_cacertdir /etc/openldap/certs
filter passwd (objectClass=*)
base group ou=Groups,dc=example,dc=com
base passwd ou=People,dc=example,dc=com
base shadow ou=People,dc=example,dc=com
base hosts ou=Hosts,dc=example,dc=com
map passwd homeDirectory "$exHomeDirectory"
map shadow userPassword userPassword
binddn cn=agent,ou=profile,dc=example,dc=com
bindpw Btwgfd87
bind_timelimit 30
******
On the server side, I see a difference on attrs. From the log file,
this is the search on the server that authenticates :
[06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2
base="ou=People,dc=example,dc=com" scope=wholeSubtree
filter="(uid=jdoe)"
attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"
and this is the one that does not authenticate :
[06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2
base="ou=People,dc=example,dc=com" scope=wholeSubtree
filter="(&(objectClass=shadowAccount)(uid=jdoe))"
attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"
They say the ldap servers are identical and all other clients
authenticate correctly... so it should be on the client side. What do
you say ? Any idea what might be going on ?
Thank you,
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
