Re: nslcd and pam_ldap.so: Anonymous access is not allowed
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nslcd and pam_ldap.so: Anonymous access is not allowed
- From: Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: nslcd and pam_ldap.so: Anonymous access is not allowed
- Date: Fri, 17 Dec 2021 09:31:06 +0100
Hi Arthur,
thank you for your kind answer. When you say:
That means that you probably want to configure a binddn and bindpw (or
other authentication mechanism) for the normal LDAP connection.
It's not clear to me what should I provide in the bindpw parameter. I
think this shouldn't be the LDAP user's password, right? In fact, I have
many users in the ldap server, and I need to log on each of them. But I
can't think of other password here.
This is an example of how I perform a simple bind operation with
ldapsearch command on the ldap user "test":
ldapsearch -x -b "dc=labsecurity,dc=local" -H ldap://192.168.30.1 -D
"uid=test,cn=users,cn=accounts,dc=labsecurity,dc=local" -W "uid=test"
Thanks in advance,
best regards.
Andrea
Il 16/12/2021 18:26, Arthur de Jong ha scritto:
On Thu, 2021-12-16 at 16:42 +0100, Andrea Sighinolfi wrote:
When I try to authenticat the ldap user in my application using
pam_ldap.so module, the authentication always fails, and the
following message is registered to the syslog:
daemon.err nslcd[140]: [495cff] <authc="test"> ldap_result() failed:
Inappropriate authentication: Anonymous access is not allowed.
The first thing that nslcd does before actually authenticating the user
is to try to look up the user in the LDAP server. This is done using
the same search operation that is normally configured for the NSS (i.e.
getent passwd) lookups.
That means that you probably want to configure a binddn and bindpw (or
other authentication mechanism) for the normal LDAP connection.
After the initial lookup the authentication itself is done via a BIND
operation followed by default by a simple search to validate that the
user is actually properly connected (see the pam_authc_search option
for details).
Hope this clarifies things,
--