lists.arthurdejong.org
RSS feed

CentOS 7 : ldap authentication failed

[Date Prev][Date Next] [Thread Prev][Thread Next]

CentOS 7 : ldap authentication failed



Hi,

We are building our first CentOS 7 server.
We are encountering a problem concerning the ldap authentication. We can't connect to the server with a LDAP account through nslcd. It works successfully on our CentOS 6 servers.

Bellow you will find the log files (openldap and nslcd debug, , relevant part in bold).
We don't understand why after successfully binding to ldap, nslcd does a new request for the dn with a wrong base dn (uid=username has been added to the ldap base dn).

Package : nss-pam-ldapd 0.8.13(8.el7)

Any help will be appreciated,
Regards
Frederic

OpenLDAP Log

Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 fd=72 ACCEPT from IP=SRCIP:43264 (IP=0.0.0.0:636)
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 fd=72 TLS established tls_ssf=256 ssf=256
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 op=0 BIND dn="" method=128
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 op=0 RESULT tag=97 err=0 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 op=1 SRCH base="ou=people,dc=companyname,dc=com" scope=1 deref=0 filter="(&(objectClass=shadowAccount)(uid=username))"
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 op=1 SRCH attr=shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43312 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 fd=87 ACCEPT from IP=SRCIP:43265 (IP=0.0.0.0:636)
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 fd=87 TLS established tls_ssf=256 ssf=256
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=0 BIND dn="" method=128
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=0 RESULT tag=97 err=0 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=1 SRCH base="ou=people,dc=companyname,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=username))"
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=1 SRCH attr=uid uidNumber
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 fd=96 ACCEPT from IP=SRCIP:43266 (IP=0.0.0.0:636)
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 fd=96 TLS established tls_ssf=256 ssf=256
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=0 BIND dn="uid=username,ou=people,dc=companyname,dc=com" method=128
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=0 BIND dn="uid=username,ou=people,dc=companyname,dc=com" mech=SIMPLE ssf=0
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=0 RESULT tag=97 err=0 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=1 SRCH base="uid=username,ou=people,dc=companyname,dc=com" scope=0 deref=0 filter="(objectClass=*)"
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=1 SRCH attr=dn
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=2 ABANDON msg=2
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=2 SRCH base="ou=people,dc=companyname,dc=com" scope=1 deref=0 filter="(&(objectClass=shadowAccount)(uid=username))"
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=2 SRCH attr=shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 op=3 UNBIND
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43314 fd=96 closed
Jan 26 12:32:34 LDAPSERVER slapd[24389]: conn=43313 op=3 ABANDON msg=3

Nslcd Debug Log

nslcd: DEBUG: add_uri(ldaps://LDAPSERVER1)
nslcd: DEBUG: add_uri(ldaps://LDAPSERVER2)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts")
nslcd: version 0.8.13 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: initgroups("nslcd",55) done
nslcd: DEBUG: setgid(55) done
nslcd: DEBUG: setuid(65) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=601 uid=28 gid=28
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=people,dc=companyname,dc=com", filter="(&(objectClass=posixAccount)(uid=nslcd))")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_initialize(ldaps://LDAPSERVER1)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://LDAPSERVER1")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <group/member="nslcd"> DEBUG: myldap_search(base="ou=groups,dc=companyname,dc=com", filter="(&(objectClass=posixGroup)(memberUid=nslcd))")
nslcd: [8b4567] <group/member="nslcd"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [7b23c6] DEBUG: connection from pid=3243 uid=0 gid=0
nslcd: [7b23c6] <shadow="username"> DEBUG: myldap_search(base="ou=people,dc=companyname,dc=com", filter="(&(objectClass=shadowAccount)(uid=username))")
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_initialize(ldaps://LDAPSERVER1)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://LDAPSERVER1")
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_result(): uid=username,ou=people,dc=companyname,dc=com
nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_result(): end of results (1 total)
nslcd: [3c9869] DEBUG: connection from pid=3243 uid=0 gid=0
nslcd: [3c9869] <authc="username"> DEBUG: nslcd_pam_authc("username","sshd","***")
nslcd: [3c9869] <authc="username"> DEBUG: myldap_search(base="ou=people,dc=companyname,dc=com", filter="(&(objectClass=posixAccount)(uid=username))")
nslcd: [3c9869] <authc="username"> DEBUG: ldap_initialize(ldaps://LDAPSERVER1)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://LDAPSERVER1")
nslcd: [3c9869] <authc="username"> DEBUG: ldap_result(): uid=username,ou=people,dc=companyname,dc=com
nslcd: [3c9869] <authc="username"> DEBUG: myldap_search(base="uid=username,ou=people,dc=companyname,dc=com", filter="(objectClass=*)")
nslcd: [3c9869] <authc="username"> DEBUG: ldap_initialize(ldaps://LDAPSERVER1)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] <authc="username"> DEBUG: ldap_simple_bind_s("uid=username,ou=people,dc=companyname,dc=com","***") (uri="ldaps://LDAPSERVER1")
nslcd: [3c9869] <authc="username"> ldap_result() failed: No such object
nslcd: [3c9869] <authc="username"> uid=username,ou=people,dc=companyname,dc=com: lookup failed: No such object
nslcd: [3c9869] <authc="username"> DEBUG: ldap_unbind()
nslcd: [3c9869] <authc="username"> DEBUG: myldap_search(base="ou=people,dc=companyname,dc=com", filter="(&(objectClass=shadowAccount)(uid=username))")
nslcd: [3c9869] <authc="username"> DEBUG: ldap_result(): uid=username,ou=people,dc=companyname,dc=com

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/