Troubleshooting this requires more info:
1. What's the OS/Linux-flavour? CentOS/RHEL have a pretty
painless way to enable LDAP auth, AFAIK.
2. I maybe reading the ACLs wrong but you allow anonymous
auth for attribute "userPassword" but for all other attributes, anon
has no rights. How will the auth session read user info from LDAP?
- Siddhartha
-----Original Message-----
From: openldap-technical-bounces+sjain=silverspringnet.com@openldap.org
[mailto:openldap-technical-bounces+sjain=silverspringnet.com@openldap.org] On
Behalf Of Indexer
Sent: Monday, May 03, 2010 12:52 AM
To: openldap-technical@openldap.org
Subject: Ldap authentication issue with PAM
I am currently trying to make a ldap server which i can
use to authenticate users. Sadly a large number of how to's are incomplete and
don't work, so after reading alot of how to's and manuals I have got 99.9% of
the way. On attempting to authenticate a user it denies the user access with a
error from auth.log
May 4 02:21:08 nemo sshd[1271]: error: PAM:
authentication error for william from 172.20.0.1
I can succesfully search the ldap with this user binding
to the ldap
ldapsearch -x -D
"uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=chocolate,dc=lan> (default) with scope
subtree
# filter: (uid=william)
# requesting: ALL
#
# william, Admin, chocolate.lan
dn: uid=william,ou=Admin,dc=chocolate,dc=lan
uid: william
cn: william
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/william
userPassword::
e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE=
gecos: William Brown,,,,
description: William Brown
shadowLastChange: 1
shadowMax: 0
shadowExpire: 0
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Slapd when trying to authenticate shows this.
/usr/local/libexec/slapd -4 -d 256
slapd starting
conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629
(IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
connection_input: conn=0 deferring operation: binding
conn=0 op=1 SRCH
base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixGroup))"
conn=0 op=1 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH
base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixGroup))"
conn=0 op=2 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=0 fd=10 closed (connection lost)
conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475
(IP=0.0.0.0:389)
conn=1 op=0 BIND dn="" method=128
conn=1 op=0 RESULT tag=97 err=0 text=
connection_input: conn=1 deferring operation: binding
conn=1 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=1 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318
(IP=0.0.0.0:389)
conn=2 op=0 BIND dn="" method=128
conn=2 op=0 RESULT tag=97 err=0 text=
connection_input: conn=2 deferring operation: binding
conn=2 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 op=2 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))"
conn=2 op=2 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=2 fd=12 closed (connection lost)
conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485
(IP=0.0.0.0:389)
conn=3 op=0 BIND dn="" method=128
conn=3 op=0 RESULT tag=97 err=0 text=
connection_input: conn=3 deferring operation: binding
conn=3 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 op=2 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))"
conn=3 op=2 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire
<= bdb_equality_candidates: (uid) not indexed
conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=3 fd=12 closed (connection lost)
conn=1 fd=10 closed (connection lost)
Here is my /etc/ldap.conf
base dc=chocolate,dc=lan
suffix dc=chocolate,dc=lan
uri ldap://ldap.srv.chocolate.lan
ldap_version 3
rootbinddn cn=Manager,dc=chocolate,dc=lan
scope one
timelimit 3
bind_timelimit 3
bind_policy soft
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_check_host_attr no
pam_member_attribute memberuid
pam_password exop
nss_reconnect_tries 4
# number of times to double the sleep time
nss_reconnect_sleeptime
1
# initial sleep value
nss_reconnect_maxsleeptime 16 # max sleep
value to cap at
nss_reconnect_maxconntries 2 # how many
tries before sleeping
nss_base_passwd
ou=Admin,dc=chocolate,dc=lan?one
nss_base_passwd
ou=People,dc=chocolate,dc=lan?one
nss_base_shadow
ou=Admin,dc=chocolate,dc=lan?one
nss_base_shadow
ou=People,dc=chocolate,dc=lan?one
nss_base_group
ou=Nemo,ou=Group,dc=chocolate,dc=lan?one
nss_base_group
ou=Marvin,ou=Group,dc=chocolate,dc=lan?one
ssl off
Here is /etc/openldap/slapd.conf
include
/usr/local/etc/openldap/schema/core.schema
include
/usr/local/etc/openldap/schema/cosine.schema
include
/usr/local/etc/openldap/schema/inetorgperson.schema
include
/usr/local/etc/openldap/schema/nis.schema
pidfile
/var/run/openldap/slapd.pid
argsfile
/var/run/openldap/slapd.args
modulepath
/usr/local/libexec/openldap
moduleload back_bdb
access to attrs=userPassword
by
dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
by anonymous auth
by self write
by * none
access to *
by self write
by users read
database bdb
suffix
"dc=chocolate,dc=lan"
rootdn
"cn=Manager,dc=chocolate,dc=lan"
rootpw
{SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm
directory
/var/db/openldap-data
index objectClass eq
index uid eq
password-hash {SSHA}
Here is the /etc/openldap/ldap.conf from both the client
and server
BASE dc=chocolate,dc=lan
URI ldap://ldap.srv.chocolate.lan
Any help with this would be greatly appreciated
William