Fwd: CentOS 7 : ldap authentication failed

[Frédéric Marchal <marchal.frederic [at] gmail.com>]

Hi,

The content of /etc/nlscd.conf :

# This is the configuration file for the LDAP nameservice

# switch library's nslcd daemon. It configures the mapping

# between NSS names (see /etc/nsswitch.conf) and LDAP

# information in the directory.

# See the manual page nslcd.conf(5) for more information.

# The uri pointing to the LDAP server to use for name lookups.

# Multiple entries may be specified. The address that is used

# here should be resolvable without using LDAP (obviously).

#uri ldap://127.0.0.1/

#uri ldaps://sxbsvldapma1p01.gestour.com/ ldaps://sxbsvldapma3p01.gestour.com

#uri ldapi://%2fvar%2frun%2fldapi_sock/

# Note: %2f encodes the '/' used as directory separator

# uri ldap://127.0.0.1/

uri ldaps://LDAPSERVER

# The LDAP version to use (defaults to 3

# if supported by client library)

#ldap_version 3

# The distinguished name of the search base.

base dc=company,dc=com

# The distinguished name to bind to the server with.

# Optional: default is to bind anonymously.

#binddn cn=proxyuser,dc=example,dc=com

# The credentials to bind with.

# Optional: default is no credentials.

# Note that if you set a bindpw you should check the permissions of this file.

#bindpw secret

# The distinguished name to perform password modifications by root by.

#rootpwmoddn cn=admin,dc=example,dc=com

# The default search scope.

#scope sub

scope one

#scope base

# Customize certain database lookups.

scope  group  onelevel

#scope  hosts  sub

# Bind/connect timelimit.

#bind_timelimit 30

# Search timelimit.

#timelimit 30

# Idle timelimit. nslcd will close connections if the

# server has not been contacted for the number of seconds.

#idle_timelimit 3600

# Use StartTLS without verifying the server certificate.

#ssl start_tls

ssl no

tls_reqcert never

# CA certificates for server certificate verification

#tls_cacertdir /etc/ssl/certs

#tls_cacertfile /etc/ssl/ca.cert

# Seed the PRNG if /dev/urandom is not provided

#tls_randfile /var/run/egd-pool

# SSL cipher suite

# See man ciphers for syntax

#tls_ciphers TLSv1

# Client certificate and key

# Use these, if your server requires client authentication.

#tls_cert

#tls_key

# NDS mappings

#map group uniqueMember member

# Mappings for Services for UNIX 3.5

#filter passwd (objectClass=User)

#map    passwd uid              msSFU30Name

#map    passwd userPassword     msSFU30Password

#map    passwd homeDirectory    msSFU30HomeDirectory

#map    passwd homeDirectory    msSFUHomeDirectory

#filter shadow (objectClass=User)

#map    shadow uid              msSFU30Name

#map    shadow userPassword     msSFU30Password

#filter group  (objectClass=Group)

#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Services for UNIX 2.0

#filter passwd (objectClass=User)

#map    passwd uid              msSFUName

#map    passwd userPassword     msSFUPassword

#map    passwd homeDirectory    msSFUHomeDirectory

#map    passwd gecos            msSFUName

#filter shadow (objectClass=User)

#map    shadow uid              msSFUName

#map    shadow userPassword     msSFUPassword

#map    shadow shadowLastChange pwdLastSet

#filter group  (objectClass=Group)

#map    group  uniqueMember     posixMember

# Mappings for Active Directory

#pagesize 1000

#referrals off

#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHo

meDirectory=*))

#map    passwd uid              sAMAccountName

#map    passwd homeDirectory    unixHomeDirectory

#map    passwd gecos            displayName

#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHo

meDirectory=*))

#map    shadow uid              sAMAccountName

#map    shadow shadowLastChange pwdLastSet

#filter group  (objectClass=group)

#map    group  uniqueMember     member

# Mappings for AIX SecureWay

#filter passwd (objectClass=aixAccount)

#map    passwd uid              userName

#map    passwd userPassword     passwordChar

#map    passwd uidNumber        uid

#map    passwd gidNumber        gid

#filter group  (objectClass=aixAccessGroup)

#map    group  cn               groupName

#map    group  uniqueMember     member

#map    group  gidNumber        gid

uid nslcd

gid ldap

# This comment prevents repeated auto-migration of settings.

tls_cacertdir /etc/openldap/cacerts

2015-01-26 18:22 GMT+01:00 Otavio Campos Velho Gloria <og [at] e-trust.com.br>:

Hi,

   Cloud you send your configuration of nslcd.conf file?
   Perhaps something is missing.

On 26/01/2015 13:04, Berend De Schouwer wrote:

On Mon, 26 Jan, 2015 at 3:53 , Frédéric Marchal marchal.frederic [at] gmail.com wrote:

Hi,

We are building our first CentOS 7 server.

Your LDAP server, or your server that should use nslcd to authenticate?

We don't understand why after successfully binding to ldap, nslcd does a new request for the dn with a wrong base dn (uid=username has been added to the ldap base dn).

The first bind is to confirm the existence of the user, and to check that the user is valid (right objectClass, etc.)

The second bind is to test the password.

It's adding uid=username because that's your username.

nslcd: [7b23c6] <shadow="username"> DEBUG: myldap_search(base="ou=people,dc=companyname,dc=com", filter="(&(objectClass=shadowAccount)(uid=username))")

nslcd client does a search for users with 'uid=username'

nslcd: [7b23c6] <shadow="username"> DEBUG: ldap_result(): uid=username,ou=people,dc=companyname,dc=com

LDAP server responds with 'uid=username' can be found in 'uid=username,ou=people,dc=companyname,dc=com'

It sounds like you think the LDAP server would have responded with something else.

nslcd: [3c9869] <authc="username"> DEBUG: ldap_simple_bind_s("uid=username,ou=people,dc=companyname,dc=com","***") (uri="ldaps://LDAPSERVER1")

Let's try the password...

--

Otávio Campos Velho Gloria www.e-trust.com.br Porto Alegre: +55 (51) 2117-1000 São Paulo: +55 (11) 5521-2021 USA: +1-888-259-5801

Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a E-TRUST, enviando um e-mail para suporte [at] e-trust.com.br. Opiniões, conclusões ou informações contidas nesta mensagem não necessariamente refletem a posição oficial da E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the intended recipients only. If you are not an intended recipient then you should not disseminate, copy, or take any action based on its contents. If you have received this message in error then please notify E-TRUST by sending an e-mail message to suporte [at] e-trust.com.br immediately. Views and opinions expressed in this message do not necessarily reflect the position of E-TRUST. If this message is digitally signed, its authenticity can be confirmed by E-TRUST Private Certificate Authority, available at www.e-trust.com.br.

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/