lists.arthurdejong.org
RSS feed

Re: Why simple bind to LDAP(AD) without anonymous bind requires binddn and bindpw?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Why simple bind to LDAP(AD) without anonymous bind requires binddn and bindpw?



On Tue, 2018-08-07 at 17:52 -0700, Andre Piwoni wrote:
> Without binddn and bindw  simple bind message indicates anonymous
> bind attempt ldap_simple_bind_s(NULL,NULL)

Before authentication is done a search is done to turn the username
into a DN that can be used, together with the user-supplied password,
to perform a simple BIND. This first search uses the same configuration
as is used for NSS lookups.

> Aug  8 00:30:49 ip-172-31-10-200 nslcd: nslcd: [8b4567] <authc="apiwoni"> 
> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://***";)
> Aug  8 00:30:49 ip-172-31-10-200 nslcd: nslcd: [8b4567] <authc="apiwoni"> 
> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090A22, 
> comment: In order to perform this operation a successful bind must be 
> completed on the connection., data 0, v3839 

This means that you need to configure an account in nslcd.conf (binddn
and bindpw or some other authentication mechanism) that can be used to
perform the username lookup queries.

> Is non-anonymous bind using entered but not configured username and
> password supported as I only need authentication not group
> memberships etc.?

If the server does not provide any other authorisation controls they
will be ignored. If you do not specify mapping of shadow attributes the
authorisation checks of those will also not be performed.

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/