RE: nslcd.conf - ldap_result() failed: No such object: cdcLdapSearch :System error (cdcRC=28)

["CHOUDARY, ANIRUDH (Ext)" <anirudh.choudary [at] novartis.com>]

Hello Arthur

Thank you very much for the update.

We have disabled the pam_authc_search by setting it to NONE.

Now we are trying to limit access to certain LDAP groups, by using 
pam_authz_search and filter on passwd.

But this does not work. Could you please help us in some examples of such 
implementations.

We are using the following settings to allow just one group.

------------------------------------------------------------------------------------------------------------------
pam_authz_search (&(objectClass=posixGroup)(cn=MYGROUP1)(member=$dn))

filter passwd (&(objectClass=posixAccount)(cn=MYGROUP1))
------------------------------------------------------------------------------------------------------------------

Our actual use case is to filter or authorize users part of multiple groups.

------------------------------------------------------------------------------------------------------------------
pam_authz_search 
(&(objectClass=posixGroup)(|(cn=MYGROUP1)(cn=MYGROUP2))(member=$dn))

filter passwd (&(objectClass=posixAccount)(|(cn=MYGROUP1)(cn=MYGROUP2)))
------------------------------------------------------------------------------------------------------------------


******************************************
Examples of the info used in the commands above

CN of Group - ULS_GBL_PRJ.ENV_USERS 
dn - cn=USERID,ou=Users,ou=OU1,ou=LOC1,dc=REG1,dc=novartis,dc=net
******************************************


Thanks & Regards
 
ANIRUDH CHOUDARY
Providing Services to Novartis Pharma AG
 
e-mail : anirudh.choudary@novartis.com

-----Original Message-----
From: Arthur de Jong <arthur@arthurdejong.org> 
Sent: Tuesday, September 17, 2019 3:19 PM
To: CHOUDARY, ANIRUDH (Ext) <anirudh.choudary@novartis.com>; 
nss-pam-ldapd-users@lists.arthurdejong.org
Cc: Shastry, Kedar (Ext) <kedar.shastry@novartis.com>; Madan Mohan, Amarnath 
<amarnath.madan_mohan@novartis.com>
Subject: Re: nslcd.conf - ldap_result() failed: No such object: cdcLdapSearch 
:System error (cdcRC=28)

On Thu, 2019-09-12 at 09:58 +0000, CHOUDARY, ANIRUDH (Ext) wrote:
> The process binds successfully with the LDAP, but returns a failure 
> upon search for the user, even after finding the user.
> This failure status causes authentication failure for our app that 
> relies on nslcd.

Thanks for your report. After authentication nslcd will perform a search for 
the user's DN to ensure that the authentication was actually successful (there 
have been cases where the LDAP server does not return an error during 
authentication but the authentication was not successful).

> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> ldap_simple_bind_s("BINDUSER","***") (uri="ldap://BIND-SERVER:389";)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: ldap_result(): 
> cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=net
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> myldap_search(base="cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis
> ,dc=net", filter="(objectClass=*)")
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> ldap_initialize(ldap://BIND-SERVER:389)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> ldap_sasl_bind("cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis,dc=
> net","***") (uri="ldap:// BIND-SERVER:389") (ppolicy=yes)
> nslcd: [1b58ba] <authc="myuser"> DEBUG: 
> myldap_search(base="cn=MYUSER,ou=Users,ou=PH,ou=INHY,dc=ap,dc=novartis
> ,dc=net", filter="(objectClass=*)")
> nslcd: [1b58ba] <authc="myuser"> ldap_result() failed: No such object: 
> cdcLdapSearch :System error (cdcRC=28), errSystem=Ldap, errCode=10, 
> errString=Referral

This behaviour can be tuned with the pam_authc_search option, see:
https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5#pam_authc_search

Hope this helps,

--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --