I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration.
Here are some logs : your help to diag would be appreciated.
-> I have an ldap server that that stores posixAccount and respond to ldap queries. -> I have configure a client machine to use this ldap server for authentication when login :
***** LOGS ***
**** CLIENT side ****
login: olivier passe :
Login incorrect
**** SERVER when login on the client ***
Here is what I see on the server side (IP=10.1.92.24) when I try to log in as "olivier" on the client (10.1.86.93) using /bin/login (debug level 256) :
conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389) conn=1220 op=0 BIND dn="" method=128 conn=1220 op=0 RESULT tag=97 err=0 text= conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr" scope=2 deref=0 filter="(uid=olivier)" conn=1220 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
*** CLIENT When using ldappasswd *****
I manage to change the "userPassword" attributes using ldappasswd command, here are the logs on the client and server side :
Client side :
$ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
$ ldappasswd -h -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass
$ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
*** SERVER side When using ldappasswd *****
Server side, here are the logs related to ldapppasswd :
conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389) conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128 conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new conn=1000 op=1 RESULT oid= err=0 text= conn=1000 op=2 UNBIND conn=1000 fd=11 closed
Thanks for your help,
---- Olivier
On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard olivier@guillard.nom.fr wrote:
Hello
Here is the result of an ldapsearch on a client host :
$ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier loginShell: /bin/tcsh cn: Olivier uidNumber: 1130 gidNumber: 18104 homeDirectory: /home/olivier objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
I have the same output with this :
$ ldapsearch -h ldap-master1.mydomain.fr -D "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier "uid=olivier"
Although if I omit the -w I get this :
ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed
--->> the openldap server respond.
================
On the client side (fedora 14), I have followed the documentation to set up for ldap authentication when login :
/etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/
are configured for the system to query the ldap-master.mydomain.fr server for authentication :
in ldap.conf files I have :
uri ldap://ldap-master1.mydomain.fr and "rootbinddn cn=Manager,dc=mydomain,dc=fr"
in nsswitch.conf : passwd: ldap shadow: ldap
and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac I have the lines :
auth sufficient pam_ldap.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so password sufficient pam_ldap.so use_authtok session optional pam_ldap.so
I use no particular security mechanism at this stage at this stage (no TLS, simple auth, etc.).
====
WITH ALL THIS, here is what I get in the logs when I try to login as "olivier" on the client machine:
Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server ldap://ldap-master1.mydomain.fr: Can't contact LDAP server Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server - Server is unavailable
Of course, i can't log in.
Any help ??? I'm getting mad...
( may be could you suggest which debug level I should use on the server to try to track what's going on).
Thanks,
Olivier
--On Wednesday, July 13, 2011 2:12 PM +0200 Olivier ldap@guillard.nom.fr wrote:
I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration.
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
You've clearly misconfigured the search base on the linux client.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wed, 13 Jul 2011, Olivier wrote:
I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration.
...
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr" scope=2 deref=0 filter="(uid=olivier)" conn=1220 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
err=32 == LDAP_NO_SUCH_OBJECT Does ou=People,ou=staff,dc=mydomain,dc=fr exist?
...
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
Ah: which comes first in the dn: Staff or People? The good results from ldapsearch show ou=Staff,ou=People,dc=mydomain,dc=fr while the failing search is of ou=People,ou=staff,dc=mydomain,dc=fr.
Philip Guenther
Phillip,
That's up to your design. I think you already answered your question though: which one works?
- chris
Chris Jacobs, Systems Administrator, Technology Services Group Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Olivier ldap@guillard.nom.fr Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Wed Jul 13 09:34:46 2011 Subject: Re: basic login fails : here are some logs ...
On Wed, 13 Jul 2011, Olivier wrote:
I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration.
...
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr" scope=2 deref=0 filter="(uid=olivier)" conn=1220 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
err=32 == LDAP_NO_SUCH_OBJECT Does ou=People,ou=staff,dc=mydomain,dc=fr exist?
...
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
Ah: which comes first in the dn: Staff or People? The good results from ldapsearch show ou=Staff,ou=People,dc=mydomain,dc=fr while the failing search is of ou=People,ou=staff,dc=mydomain,dc=fr.
Philip Guenther
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org