Re: nslcd and pam_ldap.so: Anonymous access is not allowed

[Andrea Sighinolfi <andrea.sighinolfi [at] sitti.it>]

Hi Arthur,
thank you for your kind answer. When you say:

That means that you probably want to configure a binddn and bindpw (or
other authentication mechanism) for the normal LDAP connection.

It's not clear to me what should I provide in the bindpw parameter. I 
think this shouldn't be the LDAP user's password, right? In fact, I have 
many users in the ldap server, and I need to log on each of them. But I 
can't think of other password here.

This is an example of how I perform a simple bind operation with 
ldapsearch command on the ldap user "test":

ldapsearch -x -b "dc=labsecurity,dc=local"  -H ldap://192.168.30.1 -D 
"uid=test,cn=users,cn=accounts,dc=labsecurity,dc=local" -W "uid=test"

Thanks in advance,
best regards.

Andrea

Il 16/12/2021 18:26, Arthur de Jong ha scritto:
> On Thu, 2021-12-16 at 16:42 +0100, Andrea Sighinolfi wrote:
> > When I try to authenticat the ldap user in my application using
> > pam_ldap.so module, the authentication always fails, and the
> > following message is registered to the syslog:
> > daemon.err nslcd[140]: [495cff] <authc="test"> ldap_result() failed:
> > Inappropriate authentication: Anonymous access is not allowed.
> The first thing that nslcd does before actually authenticating the user
> is to try to look up the user in the LDAP server. This is done using
> the same search operation that is normally configured for the NSS (i.e.
> getent passwd) lookups.
>
> That means that you probably want to configure a binddn and bindpw (or
> other authentication mechanism) for the normal LDAP connection.
>
> After the initial lookup the authentication itself is done via a BIND
> operation followed by default by a simple search to validate that the
> user is actually properly connected (see the pam_authc_search option
> for details).
>
> Hope this clarifies things,
--