[nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- From: Aaron Hicks <HicksA [at] landcareresearch.co.nz>
- To: "pamldap [at] padl.com" <pamldap [at] padl.com>, "nssldap [at] padl.com" <nssldap [at] padl.com>
- Subject: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)
- Date: Thu, 25 Jun 2009 16:35:22 +1200
Hello the list,
I've been trying to authenticate linux logins with Ubuntu and CentOS using LDAP
against our Novell eDirectory or our Active Directory. CentOS is more important
to us as it's distribution used in some of our pre-packaged server installs.
The packages openldap_clients and nss-ldap (for CentOS) are installed and up to
date (using yum).
The configuration on /etc/openldap/ldap.conf works and I can use ldapsearch to
bind and search our directories freely from the command line.
/etc/openldap/ldap.conf
URI ldap://ldap.our.long.domain.co.nz
BASE dc=our,dc=long,dc=domain,dc=co,dc=nz
TLS_REQCERT never
When you do:
ldapsearch -x ""
The LDAP server (A Windows Server 2003 Domain Controller) responds with:
# extended LDIF
#
# LDAPv3
# base <dc=our,dc=long,dc=domain,dc=co,dc=nz> (default) with scope subtree
# filter: (objectclass=*)
# requesting:
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
Binding ldapsearch with an appropriate username and password allows 'proper'
searches, and gives meaningful responses.
So, that was the bits that work.
What's not working is login authentication. I ignore the GUI interface on Gnome
and use the command line to edit the config files.
When I set up LDAP authentication and restart the server, non-local logins take
a very long time (while nss_ldap tries to connect to the server and fails)
before failing. There are no messages in /var/log/auth, but /var/log/messages
is full of:
Jun 25 15:24:46 vmcluster gdm[5986]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:30:28 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:33:29 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:33:29 vmcluster gdm[5969]: pam_unix(gdm:auth): check pass; user unknow
n
Jun 25 15:35:33 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:35:33 vmcluster gdm[5969]: pam_succeed_if(gdm:auth): error retrieving
information about user ldapuser
Jun 25 15:37:39 vmcluster gdm[5969]: nss_ldap: could not search LDAP server - Se
rver is unavailable
Jun 25 15:37:40 vmcluster gdm[5969]: Couldn't authenticate user
I've tweaked many of the settings, tried using SSL and TLS (which the
eDirectory requires, and the Active Directory doesn't do) and the bindings for
searching (different users, or anonymous binding), still the general trend of
ldapsearch just works, but login authentication with the pam modules (pam_ldap
and nss_ldap) fails to even connect to the server.
I've tried comparible setups on Ubuntu, and get similar results.
Hope someone here can help.
Regards.
Aaron Hicks
===========Config files from here on========
My /etc/ldap.conf looks like (omitting sections left as default):
<defaults omitted>
# The distinguished name of the search base.
base
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://ldap.our.long.domain.co.nz
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Note: We have users with spaces in their cn!
binddn "cn=User
Name,ou=internal,ou=users,ou=accounts,cn=,dc=our,dc=long,dc=domain,dc=co,dc=nz"
# The credentials to bind with.
# Optional: default is no credential.
bindpw secret
<defaults omitted>
# Search timelimit
#timelimit 30
timelimit 10
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 10
<more defaults omitted>
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
<no more changes>
Since they seem important here's my /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
And finally /etc/pam.d/sustem-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_ldap.so
Please consider the environment before printing this email
Warning: This electronic message together with any attachments is
confidential. If you receive it in error: (i) you must not read, use, disclose,
copy or retain it; (ii) please contact the sender immediately by reply email
and then delete the emails.
The views expressed in this email may not be those of Landcare Research New
Zealand Limited. http://www.landcareresearch.co.nz
- [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s),
Aaron Hicks