RSS feed

Re: Authentication problem with ldap_simple_bind_s

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Authentication problem with ldap_simple_bind_s

On Thu, 2014-07-31 at 12:05 +0200, Sergio Ramírez Gallego wrote:
> After some modifications, nslcd log ouput shows the following lines
> when I type 'getent passwd':
> nslcd: [200854] <group/member="sergio"> DEBUG: ldap_result(): 
> uid=sergio,ou=users,dc=ugr,dc=es
> nslcd: [200854] <group/member="sergio"> DEBUG: 
> myldap_search(base="dc=ugr,dc=es", 
> filter="(&(objectClass=posixGroup)(|(memberUid=sergio)(member=uid=sergio,ou=users,dc=ugr,dc=es)))")

The above is a bit weird. The lookup should be for `groups sergio` not
for `getent passwd sergio`. Furthermore, the myldap_search line is
usually logged before the ldap_result one.

> All right! Nevertheless, when I try to authenticate with a user
> different to root, I get the following:
> nslcd: [ed7263] <authc="sergio"> DEBUG: nslcd_pam_authc("sergio","sshd","***")
> nslcd: [ed7263] <authc="sergio"> DEBUG: 
> myldap_search(base="uid=sergio,ou=users,dc=ugr,dc=es", 
> filter="(objectClass=*)")
> nslcd: [ed7263] <authc="sergio"> DEBUG: 
> ldap_simple_bind_s("uid=sergio,ou=users,dc=ugr,dc=es","***") 
> (uri="ldap://ldap";)
> nslcd: [ed7263] <authc="sergio"> ldap_result() failed: No such object
> nslcd: [ed7263] <authc="sergio"> uid=sergio,ou=users,dc=ugr,dc=es: lookup 
> failed: No such object
> I do not understand why nslcd uses uid=non-nssproxy-user to call the
> ldap_simple_bind_s function. It is obvious that the server is not
> going to answer.
> If you need some configuration details, I can send to you. My server
> uses LDAP 2.4 version.

For authentication nslcd tries a bind operation with the user's DN and
provided password. To see if the bind is successful a search is
performed. Some LDAP servers have been shown to not return any errors on
bind in some circumstances but fail the search. This means that the user
needs to have permission to search it's own entry (does not need to be
able to read any attributes though).

Hope this helps.

-- arthur - - --
To unsubscribe send an email to or see