5:12 a.m.
I have problem to use my openldap 2.4 server for authentication on a fedora 14 :
it sounds that the problem is on the on the client side configuration.
Here are some logs : your help to diag would be appreciated.
-> I have an ldap server that that stores posixAccount and respond to
ldap queries.
-> I have configure a client machine to use this ldap server for
authentication when login :
***** LOGS ***
**** CLIENT side ****
login: olivier
passe :
Login incorrect
**** SERVER when login on the client ***
Here is what I see on the server side (IP=10.1.92.24) when I try to log in as
"olivier" on the client (10.1.86.93) using /bin/login (debug level 256) :
conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389)
conn=1220 op=0 BIND dn="" method=128
conn=1220 op=0 RESULT tag=97 err=0 text=
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
*** CLIENT When using ldappasswd *****
I manage to change the "userPassword" attributes using ldappasswd command, here
are the logs on the client and server side :
Client side :
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
$ ldappasswd -h -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret
"uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
*** SERVER side When using ldappasswd *****
Server side, here are the logs related to ldapppasswd :
conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389)
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr"
new
conn=1000 op=1 RESULT oid= err=0 text=
conn=1000 op=2 UNBIND
conn=1000 fd=11 closed
Thanks for your help,
----
Olivier
On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard
<olivier(a)guillard.nom.fr> wrote:
Hello
Here is the result of an ldapsearch on a client host :
$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
uid: olivier
loginShell: /bin/tcsh
cn: Olivier
uidNumber: 1130
gidNumber: 18104
homeDirectory: /home/olivier
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
I have the same output with this :
$ ldapsearch -h ldap-master1.mydomain.fr -D
"uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier
"uid=olivier"
Although if I omit the -w I get this :
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
--->> the openldap server respond.
================
On the client side (fedora 14), I have followed the documentation to
set up for ldap authentication when login :
/etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf
/etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/
are configured for the system to query the ldap-master.mydomain.fr
server for authentication :
in ldap.conf files I have :
uri ldap://ldap-master1.mydomain.fr and
"rootbinddn cn=Manager,dc=mydomain,dc=fr"
in nsswitch.conf :
passwd: ldap
shadow: ldap
and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac
I have the lines :
auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
I use no particular security mechanism at this stage at this stage (no
TLS, simple auth, etc.).
====
WITH ALL THIS, here is what I get in the logs when I try to login as
"olivier" on the client machine:
Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server
ldap://ldap-master1.mydomain.fr: Can't contact LDAP server
Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server -
Server is unavailable
Of course, i can't log in.
Any help ??? I'm getting mad...
( may be could you suggest which debug level I should use on the
server to try to track what's going on).
Thanks,
---
Olivier
9:22 a.m.
New subject: basic login fails : here are some logs ...
--On Wednesday, July 13, 2011 2:12 PM +0200 Olivier <ldap(a)guillard.nom.fr>
wrote:
I have problem to use my openldap 2.4 server for authentication on a
fedora 14 : it sounds that the problem is on the on the client side
configuration.
conn=1220 op=1 SRCH
base="ou=People,ou=staff,dc=mydomain,dc=fr"
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
You've clearly misconfigured the search base on the linux client.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9:34 a.m.
New subject: basic login fails : here are some logs ...
On Wed, 13 Jul 2011, Olivier wrote:
I have problem to use my openldap 2.4 server for authentication on a
fedora 14 : it sounds that the problem is on the on the client side
configuration.
...
conn=1220 op=1 SRCH
base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
err=32 == LDAP_NO_SUCH_OBJECT Does ou=People,ou=staff,dc=mydomain,dc=fr
exist?
...
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
Ah: which comes first in the dn: Staff or People? The good results from
ldapsearch show ou=Staff,ou=People,dc=mydomain,dc=fr while the failing
search is of ou=People,ou=staff,dc=mydomain,dc=fr.
Philip Guenther
10:26 a.m.
New subject: basic login fails : here are some logs ...
Phillip,
That's up to your design. I think you already answered your question though: which one
works?
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces(a)OpenLDAP.org
<openldap-technical-bounces(a)OpenLDAP.org>
To: Olivier <ldap(a)guillard.nom.fr>
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Wed Jul 13 09:34:46 2011
Subject: Re: basic login fails : here are some logs ...
On Wed, 13 Jul 2011, Olivier wrote:
I have problem to use my openldap 2.4 server for authentication on a
fedora 14 : it sounds that the problem is on the on the client side
configuration.
...
conn=1220 op=1 SRCH
base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
err=32 == LDAP_NO_SUCH_OBJECT Does ou=People,ou=staff,dc=mydomain,dc=fr
exist?
...
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
Ah: which comes first in the dn: Staff or People? The good results from
ldapsearch show ou=Staff,ou=People,dc=mydomain,dc=fr while the failing
search is of ou=People,ou=staff,dc=mydomain,dc=fr.
Philip Guenther
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
4460
days inactive
4460
days old
openldap-technical@openldap.org
3 comments
4 participants
participants (4)
-
Chris Jacobs -
Olivier -
Philip Guenther -
Quanah Gibson-Mount