Re: CentOS 7 : ldap authentication failed

[Berend De Schouwer <berend [at] deschouwer.co.za>]

On Mon, 26 Jan, 2015 at 3:53 , Frédéric Marchal 
<marchal.frederic@gmail.com> wrote:
> Hi,
>
> We are building our first CentOS 7 server.

Your LDAP server, or your server that should use nslcd to authenticate?


> We don't understand why after successfully binding to ldap, nslcd 
> does a new request for the dn with a wrong base dn (uid=username has 
> been added to the ldap base dn).

The first bind is to confirm the existence of the user, and to check 
that the user is valid (right objectClass, etc.)

The second bind is to test the password.

It's adding uid=username because that's your username.


> nslcd: [7b23c6] <shadow="username"> DEBUG: 
> myldap_search(base="ou=people,dc=companyname,dc=com", 
> filter="(&(objectClass=shadowAccount)(uid=username))")

nslcd client does a search for users with 'uid=username'


> nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_result(): 
> uid=username,ou=people,dc=companyname,dc=com

LDAP server responds with 'uid=username' can be found in 
'uid=username,ou=people,dc=companyname,dc=com'

It sounds like you think the LDAP server would have responded with 
something else.


> nslcd: [3c9869] <authc="username"> DEBUG: 
> ldap_simple_bind_s("uid=username,ou=people,dc=companyname,dc=com","***") 
> (uri="ldaps://LDAPSERVER1")

Let's try the password...



--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/