I have problem to use my openldap 2.4 server for authentication on a fedora 14 :
it sounds that the problem is on the on the client side configuration.
Here are some logs : your help to diag would be appreciated.
-> I have an ldap server that that stores posixAccount and respond to
ldap queries.
-> I have configure a client machine to use this ldap server for
authentication when login :
***** LOGS ***
**** CLIENT side ****
login: olivier
passe :
Login incorrect
**** SERVER when login on the client ***
Here is what I see on the server side (IP=10.1.92.24) when I try to log in as
"olivier" on the client (10.1.86.93) using /bin/login (debug level 256) :
conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389)
conn=1220 op=0 BIND dn="" method=128
conn=1220 op=0 RESULT tag=97 err=0 text=
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
*** CLIENT When using ldappasswd *****
I manage to change the "userPassword" attributes using ldappasswd command, here
are the logs on the client and server side :
Client side :
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
$ ldappasswd -h -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret
"uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
*** SERVER side When using ldappasswd *****
Server side, here are the logs related to ldapppasswd :
conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389)
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new
conn=1000 op=1 RESULT oid= err=0 text=
conn=1000 op=2 UNBIND
conn=1000 fd=11 closed
Thanks for your help,
----
Olivier
On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard
<olivier(a)guillard.nom.fr> wrote:
> Hello
>
> Here is the result of an ldapsearch on a client host :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
>
> dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
> uid: olivier
> loginShell: /bin/tcsh
> cn: Olivier
> uidNumber: 1130
> gidNumber: 18104
> homeDirectory: /home/olivier
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
>
> I have the same output with this :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier
> "uid=olivier"
>
> Although if I omit the -w I get this :
>
> ldap_bind: Server is unwilling to perform (53)
> additional info: unauthenticated bind (DN with no password) disallowed
>
>
> --->> the openldap server respond.
>
> ================
>
> On the client side (fedora 14), I have followed the documentation to
> set up for ldap authentication when login :
>
> /etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf
> /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/
>
> are configured for the system to query the ldap-master.mydomain.fr
> server for authentication :
>
> in ldap.conf files I have :
>
> uri ldap://ldap-master1.mydomain.fr and
> "rootbinddn cn=Manager,dc=mydomain,dc=fr"
>
> in nsswitch.conf :
> passwd: ldap
> shadow: ldap
>
> and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac
> I have the lines :
>
> auth sufficient pam_ldap.so use_first_pass
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> password sufficient pam_ldap.so use_authtok
> session optional pam_ldap.so
>
> I use no particular security mechanism at this stage at this stage (no
> TLS, simple auth, etc.).
>
> ====
>
> WITH ALL THIS, here is what I get in the logs when I try to login as
> "olivier" on the client machine:
>
> Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server
> ldap://ldap-master1.mydomain.fr: Can't contact LDAP server
> Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server -
> Server is unavailable
>
> Of course, i can't log in.
>
> Any help ??? I'm getting mad...
>
> ( may be could you suggest which debug level I should use on the
> server to try to track what's going on).
>
> Thanks,
>
> ---
> Olivier
>