Re: nslcd.conf - ldap_result() failed: No such object: cdcLdapSearch :System error (cdcRC=28)

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2019-09-12 at 09:58 +0000, CHOUDARY, ANIRUDH (Ext) wrote:
> The process binds successfully with the LDAP, but returns a failure
> upon search for the user, even after finding the user.
> This failure status causes authentication failure for our app that
> relies on nslcd.

Thanks for your report. After authentication nslcd will perform a
search for the user's DN to ensure that the authentication was actually
successful (there have been cases where the LDAP server does not return
an error during authentication but the authentication was not
successful).

> nslcd: [1b58ba] <authc="myuser"> DEBUG: ldap_simple_bind_s("BINDUSER","***") 
> (uri="ldap://BIND-SERVER:389";)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: ldap_result(): 
> cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=net
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> myldap_search(base="cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=net",
>  filter="(objectClass=*)")
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> ldap_initialize(ldap://BIND-SERVER:389)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> ldap_sasl_bind("cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=net","***")
>  (uri="ldap:// BIND-SERVER:389") (ppolicy=yes)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> myldap_search(base="cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=net",
>  filter="(objectClass=*)")
> nslcd: [1b58ba] <authc="myuser"> ldap_result() failed: No such object: 
> cdcLdapSearch :System error (cdcRC=28), errSystem=Ldap, errCode=10, 
> errString=Referral

This behaviour can be tuned with the pam_authc_search option, see:
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authc_search

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --