lists.arthurdejong.org
RSS feed

[nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

[Date Prev][Date Next] [Thread Prev][Thread Next]

[nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)



Hello the list,

I've been trying to authenticate linux logins with Ubuntu and CentOS using LDAP 
against our Novell eDirectory or our Active Directory. CentOS is more important 
to us as it's distribution used in some of our pre-packaged server installs.

The packages openldap_clients and nss-ldap (for CentOS) are installed and up to 
date (using yum).

The configuration on /etc/openldap/ldap.conf works and I can use ldapsearch to 
bind and search our directories freely from the command line.

/etc/openldap/ldap.conf
URI ldap://ldap.our.long.domain.co.nz
BASE dc=our,dc=long,dc=domain,dc=co,dc=nz
TLS_REQCERT never

When you do:

ldapsearch -x ""

The LDAP server (A Windows Server 2003 Domain Controller) responds with:

# extended LDIF
#
# LDAPv3
# base <dc=our,dc=long,dc=domain,dc=co,dc=nz> (default) with scope subtree
# filter: (objectclass=*)
# requesting:
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
 ration a successful bind must be completed on the connection., data 0, vece

# numResponses: 1

Binding ldapsearch with an appropriate username and password allows 'proper' 
searches, and gives meaningful responses.

So, that was the bits that work.

What's not working is login authentication. I ignore the GUI interface on Gnome 
and use the command line to edit the config files.

When I set up LDAP authentication and restart the server, non-local logins take 
a very long time (while nss_ldap tries to connect to the server and fails) 
before failing. There are no messages in /var/log/auth, but /var/log/messages 
is full of:

Jun 25 15:24:46 vmcluster gdm[5986]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:30:28 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:33:29 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:33:29 vmcluster gdm[5969]: pam_unix(gdm:auth): check pass; user unknow
n
Jun 25 15:35:33 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:35:33 vmcluster gdm[5969]: pam_succeed_if(gdm:auth): error retrieving
information about user ldapuser
Jun 25 15:37:39 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:37:40 vmcluster gdm[5969]: Couldn't authenticate user

I've tweaked many of the settings, tried using SSL and TLS (which the 
eDirectory requires, and the Active Directory doesn't do) and the bindings for 
searching (different users, or anonymous binding), still the general trend of 
ldapsearch just works, but login authentication with the pam modules (pam_ldap 
and nss_ldap) fails to even connect to the server.

I've tried comparible setups on Ubuntu, and get similar results.

Hope someone here can help.

Regards.

Aaron Hicks

===========Config files from here on========

My /etc/ldap.conf looks like (omitting sections left as default):

<defaults omitted>
# The distinguished name of the search base.
base

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://ldap.our.long.domain.co.nz

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Note: We have users with spaces in their cn!
binddn "cn=User 
Name,ou=internal,ou=users,ou=accounts,cn=,dc=our,dc=long,dc=domain,dc=co,dc=nz"

# The credentials to bind with.
# Optional: default is no credential.
bindpw secret

<defaults omitted>
# Search timelimit
#timelimit 30
timelimit 10

# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 10

<more defaults omitted>

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

<no more changes>

Since they seem important here's my /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap

And finally /etc/pam.d/sustem-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so



Please consider the environment before printing this email
Warning:  This electronic message together with any attachments is 
confidential. If you receive it in error: (i) you must not read, use, disclose, 
copy or retain it; (ii) please contact the sender immediately by reply email 
and then delete the emails.
The views expressed in this email may not be those of Landcare Research New 
Zealand Limited. http://www.landcareresearch.co.nz