Hello list,
I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work
# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)
host LBSD.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {SSHA}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep for ldap account shows ldap account on the ldap server itself succeeds
[root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash [root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd [root@LBSD2:/usr/local/etc/openldap] #
# /etc/ldap.conf on ldap client (centos 5.5)
host LBSD2.summitnjhome.com base dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com bindpw {crypt}secret scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com
# grep getent passwd for ldap account on the client nothing turns up after a long pause
[root@LCENT01:~] #getent passwd | grep walbs [root@LCENT01:~] #
# nsswitch on the client
passwd: files ldap shadow: files ldap group: files ldap sudoers: ldap #hosts: db files nisplus nis dns hosts: files dns
# this is what's going on in the logs on the ldap server during th getent from the #client
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from IP=192.168.1.42:53811 (IP=192.168.1.44:389) Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128 Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text= Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed
#ldap search from the client as the pam services account is able to locate the ldap user info
[root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap ,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=walbs)' # extended LDIF # # LDAPv3 # base <dc=summitnjhome,dc=com> with scope subtree # filter: (uid=walbs) # requesting: ALL #
# walbs, People, summitnjhome.com dn: uid=walbs,ou=People,dc=summitnjhome,dc=com uid: walbs cn: Walkiria Soares givenName: Walkiria sn: Soares mail: walbs@example.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1002 gidNumber: 1003
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
#pam_ldap services account in the ldap directory
3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com cn: pam_ldap objectClass: top objectClass: inetOrgPerson sn: PAM userPassword: {SSHA}secret
I have also tried doing anonymous binds on the client as well as using plain text passwords. I get the same tag=97 err=49 messages on the client either way.
This is the ldap software I have on the FreeBSD server:
LBSD2# pkg_info | grep -i ldap ldapvi-1.7_2 A tool to update LDAP entries with a text editor openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.23 Open source LDAP server implementation pam_ldap-1.8.5 A pam module for authenticating with LDAP
And this is what I am using on the Centos 5.5 client:
[root@LCENT01:~] #rpm -qa | grep -i ldap python-ldap-2.2.0-2.1 openldap-2.3.43-12.el5_5.3 nss_ldap-253-25.el5 ldapvi-1.7-10.el5 php-ldap-5.1.6-27.el5 openldap-clients-2.3.43-12.el5_5.3 openldap-2.3.43-12.el5_5.3 nss_ldap-253-25.el5
Some advice is sorely needed here. Thank you very kindly in advance!
--On Tuesday, February 22, 2011 5:52 PM -0500 Tim Dunphy bluethundr@gmail.com wrote:
Hello list,
I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work
bindpw {crypt}secret
A few things:
a) Crypt is non-portable b) That doesn't look like a valid crypt'd password c) You're going to need to set a plain text password to bind, regardless
Try just changing "bindpw" to be "secret" and see what happens. If you want better security, use SASL/EXTERNAL or SASL/GSSAPI etc.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Tim Dunphy