"Invalid credentials" after nss-pam-ldapd upgrade

[Tomek <cea2me [at] gmail.com>]

Hi,

After upgrading nslcd package from 0.9.4-3 to 0.9.7-2 (Debian Jessie to Stretch),
I cannot pass user authentication (got Invalid credentials).
On machines with older nslcd version (0.9.4-3) configured to the same ldap server everything goes fine.
I use the same nslcd.conf file for both versions.
Open-LDAP server supports anonymous search and simple bind (no SASL and TLS/SSL).



# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.

uri ldap://10.5.2.1/

# The search base that will be used for all queries.

base dc=company

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub




nslcd: [8b4567] DEBUG: connection from pid=96074 uid=0 gid=0
nslcd: [8b4567] <authc="test"> DEBUG: nslcd_pam_authc("test","sshd","***")
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="dc=company", filter="(&(objectClass=posixAccount)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://10.5.2.1/)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.5.2.1/")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,ou=Users,dc=company
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="uid=test,ou=Users,dc=company", filter="(objectClass=*)")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://10.5.2.1/)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_sasl_bind("uid=test,ou=Users,dc=company","***") (uri="ldap://10.5.2.1/") (ppolicy=yes)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: failed to bind to LDAP server ldap://10.5.2.1/: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="test"> uid=test,ou=Users,dc=company: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="dc=company", filter="(&(objectClass=shadowAccount)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,ou=Users,dc=company
^Cnslcd: caught signal SIGINT (2), shutting down
nslcd: DEBUG: ldap_unbind()
nslcd: version 0.9.7 bailing out


Regards.
Tom.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/