Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- From: Thomas Keller <s2074135 [at] yahoo.com.au>
- To: Arthur de Jong <arthur [at] arthurdejong.org>, "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Reply-to: Thomas Keller <s2074135 [at] yahoo.com.au>
- Subject: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- Date: Wed, 1 Jun 2016 09:10:47 +0000 (UTC)
Fixing some problems with the maps in nslcd.conf, as indicated by Arthur, has done the trick.
My nslcd.conf now looks like below. It still needs some tweaking but login works perfectly.
Thanks everyone!
Thomas
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.
# The user and group nslcd should run as.
uid nslcd
gid nslcd
# The location at which the LDAP server(s) should be reachable.
uri ldap://10.0.10.11
# The search base that will be used for all queries.
base ou=2_ABCD,dc=abc,dc=example,dc=com
# The LDAP protocol version to use.
ldap_version 3
# The DN to bind with for normal lookups.
binddn cn=binddn,ou=Int_Service,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
bindpw blabla
# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com
# SSL options
ssl start_tls
tls_reqcert never
# The search scope.
scope sub
# Active Directory
pagesize 30000
referrals off
idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd uid sAMAccountName
map passwd uidNumber objectSid:S-1-5-12-3201345888-7430494871-1110111129
map passwd gidNumber objectSid:S-1-5-12-3201345888-7430494871-1110111129
map passwd homeDirectory "/home/$sAMAccountName"
map passwd gecos displayName
map passwd loginShell "/bin/bash"
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)
filter shadow (&(objectClass=user)(!(objectClass=computer)))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
filter group (objectClass=group)
map group gidNumber objectSid:S-1-5-12-3201345888-7430494871-1110111129
map group cn sAMAccountName
On Tuesday, 31 May 2016, 21:59, Arthur de Jong <arthur@arthurdejong.org> wrote:
On Mon, 2016-05-30 at 16:20 +0000, Thomas Keller wrote:
> So far our AD users are not able to login to the Ubuntu boxes, unless
> I create a local user account on the Ubuntu client with the same name
> as the LDAP/AD user. The local user account password and ldap account
> passwords are different.
>
> If there is no local user account, the nslcd debug log tells me that
> I am using invalid credentials. If I create a local account on the
> Ubuntu client (with no passsword or a different password) the nslcd
> debug log tells me that authentication is successful and login is
> successful also.
[...]
> nslcd: [b0dc51] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
This at least indicates why the getent passwd lookup is not working.
There is no uidNumber attribute in your AD. Unix accounts need a
numeric user id. If you don't have a numeric uid in AD you can have
nslcd derive one from the objectSid. See the sample nslcd.conf:
https://arthurdejong.org/git/nss-pam-ldapd/tree/nslcd.conf
> nslcd: [5558ec] <authc="testaduser"> DEBUG: nslcd_pam_authc("testaduser","sshd","***")
> nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
> nslcd: [5558ec] DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
> nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(objectClass=*)")
[...]
> nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_simple_bind_s("CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
> nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAP server ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
The stuff after "Invalid credentials" is just diagnostic message from
AD.
I think I tried to have a local account and use authentication from
that while the user is also in LDAP but I don't think I ever tried it
the other way around.
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcd authentication; user=testaduser
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
This seems to indicate that nslcd is not running as the error seems to
indicate that /var/run/nslcd/socket does not exist.
Hope this helps,
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
> So far our AD users are not able to login to the Ubuntu boxes, unless
> I create a local user account on the Ubuntu client with the same name
> as the LDAP/AD user. The local user account password and ldap account
> passwords are different.
>
> If there is no local user account, the nslcd debug log tells me that
> I am using invalid credentials. If I create a local account on the
> Ubuntu client (with no passsword or a different password) the nslcd
> debug log tells me that authentication is successful and login is
> successful also.
[...]
> nslcd: [b0dc51] <passwd="testaduser"> CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com: uidNumber: missing
This at least indicates why the getent passwd lookup is not working.
There is no uidNumber attribute in your AD. Unix accounts need a
numeric user id. If you don't have a numeric uid in AD you can have
nslcd derive one from the objectSid. See the sample nslcd.conf:
https://arthurdejong.org/git/nss-pam-ldapd/tree/nslcd.conf
> nslcd: [5558ec] <authc="testaduser"> DEBUG: nslcd_pam_authc("testaduser","sshd","***")
> nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(&(&(objectClass=user)(!(objectClass=computer)))(sAMAccountName=testaduser))")
> nslcd: [5558ec] DEBUG: ldap_result(): CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com
> nslcd: [5558ec] <authc="testaduser"> DEBUG: myldap_search(base="CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com", filter="(objectClass=*)")
[...]
> nslcd: [5558ec] <authc="testaduser"> DEBUG: ldap_simple_bind_s("CN=Test AD User,OU=Test,OU=Int_Standard,OU=Users,OU=2_ABCD,DC=abc,DC=example,DC=com","***") (uri="ldap://10.0.10.11")
> nslcd: [5558ec] <authc="testaduser"> DEBUG: failed to bind to LDAP server ldap://10.0.10.11: Invalid credentials: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772
The stuff after "Invalid credentials" is just diagnostic message from
AD.
I think I tried to have a local account and use authentication from
that while the user is also in LDAP but I don't think I ever tried it
the other way around.
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): nslcd authentication; user=testaduser
> May 30 17:34:00 ubuntu14-lts sshd[2215]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
This seems to indicate that nslcd is not running as the error seems to
indicate that /var/run/nslcd/socket does not exist.
Hope this helps,
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/
--
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP,
Thomas Keller
- Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Dennis Leeuw
- Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP,
Arthur de Jong
- Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP, Thomas Keller
- Prev by Date: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- Next by Date: Re: Using the initial letter in the home directory
- Previous by thread: Re: Authentication against LDAP is failing from Ubuntu dlients if there is no local user account with the same name as in LDAP
- Next by thread: Account locked out after one wrong password attempt