Hello,
I am trying to configure OpenLdap authentication in centos 7. i
have ldapserver already configured which is working and tested.
but i get unexpected error when i try to login.
here is the confiuration files:
nslcd.conf:
uid root
#gid nslcd
uri ldap://ldapserver.mapfa.com:389/
base dc=mapfa,dc=com
binddn cn=admin,dc=mapfa,dc=com
bindpw ******
rootpwmoddn cn=admin,dc=mapfa,dc=com
ssl no
base dc=mapfa,dc=com
------------------------
password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so
uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000
quiet_success
auth sufficient pam_sss.so forward_pass
auth required /lib/security/pam_ldap.so use_first_pass
debug
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore]
pam_sss.so
account [default=bad success=ok user_unknown=ignore]
/lib/security/pam_ldap.so debug
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
debug
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional /lib/security/pam_ldap.so debug
---------------------------
sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
----------------------------------------
nslcd.log in debug mode
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
myldap_search(base="dc=mapfa,dc=com",
filter="(&(objectClass=posixAccount)(uid=mgholizade))")
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_initialize(ldap://ldapserver.mapfa.com)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_rebind_proc()
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG:
ldap_simple_bind_s(NULL,NULL) (uri="ldap://ldapserver.mapfa.com")
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG: ldap_result():
uid=mgholizade,ou=infra,dc=mapfa,dc=com
nslcd: [b0dc51] <passwd="mgholizade"> DEBUG: ldap_result():
end of results (1 total)
nslcd: [495cff] DEBUG: connection from pid=1382 uid=0 gid=0
nslcd: [495cff] <shadow="mgholizade"> DEBUG:
myldap_search(base="dc=mapfa,dc=com",
filter="(&(objectClass=shadowAccount)(uid=mgholizade))")
nslcd: [495cff] <shadow="mgholizade"> DEBUG: ldap_result():
uid=mgholizade,ou=infra,dc=mapfa,dc=com
nslcd: [495cff] <shadow="mgholizade"> DEBUG: ldap_result():
end of results (1 total)
nslcd: [e8944a] DEBUG: connection from pid=1382 uid=0 gid=0
nslcd: DEBUG: accept() failed (ignored): Resource temporarily
unavailable
nslcd: [e8944a] <passwd="mgholizade"> DEBUG:
myldap_search(base="dc=mapfa,dc=com",
filter="(&(objectClass=posixAccount)(uid=mgholizade))")
nslcd: [e8944a] <passwd="mgholizade"> DEBUG: ldap_result():
uid=mgholizade,ou=infra,dc=mapfa,dc=com
nslcd: [e8944a] <passwd="mgholizade"> DEBUG: ldap_result():
end of results (1 total)
---------------------------
in secure.log i get unexpected error
Nov 4 10:27:38 minio sshd[2011]: pam_ldap(sshd:auth): failed to
get password: Authentication failure
getent passwd shows users and i can use ldapsearch from the host
and i can even change password using passwd "ldap user"
I also dumped network packets on port 389 and didnt notice any
error or misconfiguration.
I appreciate helping me find the cause of this problem.
