Using LDAP for user authentification
I'm trying to use LDAP for user auth. Since I'm new to LDAP (experienced
sysadmin though) I tried following the documentation to the letter.
I'm succesfully creating the users in the LDAP database, but apparently
PAM (this is what I'm blaming now, but I might be wrong) is not
correctly configured and does not search LDAP with the correct parameters.
Given an user "cfernandez" created with yast2, a manual search gives
this result:
cibeles:~ # ldapsearch -x -b dc=consultia,dc=biz
"(objectClass=posixAccount)(uid=cfernandez userPassword sn3)"
# extended LDIF
#
# LDAPv3
# base
Carlos Fernandez Sanz wrote:
I'm trying to use LDAP for user auth. Since I'm new to LDAP (experienced sysadmin though) I tried following the documentation to the letter.
I'm succesfully creating the users in the LDAP database, but apparently PAM (this is what I'm blaming now, but I might be wrong) is not correctly configured and does not search LDAP with the correct parameters.
Given an user "cfernandez" created with yast2, a manual search gives this result:
cibeles:~ # ldapsearch -x -b dc=consultia,dc=biz "(objectClass=posixAccount)(uid=cfernandez userPassword sn3)" # extended LDIF # # LDAPv3 # base
with scope sub # filter: (objectClass=posixAccount)(uid=cfernandez userPassword sn3) # requesting: ALL # # cfernandez, people, consultia.biz dn: uid=cfernandez,ou=people,dc=consultia,dc=biz uid: cfernandez
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
LDAP log looks like this:
Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 ACCEPT from IP=127.0.0.1:34261 (IP=0.0.0.0:389) Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 BIND dn="" method=128 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 RESULT tag=97 err=0 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(objectClass=posixAccount)" Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH attr=uid cfernandez userPassword sn3 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=2 UNBIND Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 closed
i.e. everything looks just fine.
However, if I try to login (BTW the option to allow LDAP users to login is enabled) I see this in the LDAP log:
Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 ACCEPT from IP=127.0.0.1:34263 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 13 16:17:25 cibeles sshd[17880]: Invalid user cfernandez from ::ffff:127.0.0.1 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 closed Dec 13 16:17:25 cibeles slapd[17011]: conn=93 fd=17 ACCEPT from IP=127.0.0.1:34264 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
As you can see, The SRCH attr parameters are different. It looks like it's search for an user whose uid is "userPassword", which obviously returns zero results. The question is why?
More clues: cibeles:~ # getent passwd [..] cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash
cibeles:~ # su - cfernandez su: user cfernandez does not exist
Can anyone shed some light here?
Your ldap search and results look odd to me. If you were trying to
find the entry with objectClass of posixAccount and uid of cfernandez
and retrieve the attributes of userPassword and sn3, the search should
look something like this
ldapsearch -x -b dc=consultia,dc=biz -h yourhost
"(&(objectClass=posixAccount)(uid=cfernandez))" userPassword sn3
Then your output will look like this
# LDAPv3
# base
Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" PAM is using the correct search base and searching for the correct user.
Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass PAM is requesting the attributes uid, userpassword, uidnumber, gidnumber, cn, homedirectory, loginshell, gecos, description, objectclass
Jason Joines =================================
Jason,
Your ldap search and results look odd to me. If you were trying to find the entry with objectClass of posixAccount and uid of cfernandez and retrieve the attributes of userPassword and sn3, the search should look something like this
ldapsearch -x -b dc=consultia,dc=biz -h yourhost "(&(objectClass=posixAccount)(uid=cfernandez))" userPassword sn3
Then your output will look like this
# LDAPv3 # base
with scope sub # filter: (&(objectclass=posixAccount)(uid=cfernandez)) # requesting: userPassword sn3
OK, so far so good. One thing, though. Your output
# bogus, management, mydomain.org dn: uid=bogus,ou=sales,dc=mydomain,dc=org homeDirectory: /home/bogus
[etc] echoes all the fields, however, even when I request all of them as you do, return none. This is a bit strange, since cibeles:~ # getent passwd cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash i.e. at least the home and the shell are stored correctly.... why doesn't ldapsearch display them? And why getent finds the user but when I try cibeles:~ # su - cfernandez su: user cfernandez does not exist BTW the LDAP log after this is: Dec 13 21:10:20 cibeles slapd[17011]: conn=145 fd=18 ACCEPT from IP=127.0.0.1:34317 (IP=0.0.0.0:389) Dec 13 21:10:20 cibeles slapd[17011]: conn=145 op=0 BIND dn="" method=128 Dec 13 21:10:20 cibeles slapd[17011]: conn=145 op=0 RESULT tag=97 err=0 text= Dec 13 21:10:20 cibeles slapd[17011]: conn=145 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 21:10:20 cibeles slapd[17011]: conn=145 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 21:10:20 cibeles slapd[17011]: conn=145 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 13 21:10:20 cibeles slapd[17011]: conn=145 fd=18 closed Thanks.
What does the output of `getent passwd` return? How did you enable ldap authentication? manually editing nsswitch.conf/pam.conf/this.conf/that.conf or through the yast gui? -s Carlos Fernandez Sanz wrote:
I'm trying to use LDAP for user auth. Since I'm new to LDAP (experienced sysadmin though) I tried following the documentation to the letter.
I'm succesfully creating the users in the LDAP database, but apparently PAM (this is what I'm blaming now, but I might be wrong) is not correctly configured and does not search LDAP with the correct parameters.
Given an user "cfernandez" created with yast2, a manual search gives this result:
cibeles:~ # ldapsearch -x -b dc=consultia,dc=biz "(objectClass=posixAccount)(uid=cfernandez userPassword sn3)" # extended LDIF # # LDAPv3 # base
with scope sub # filter: (objectClass=posixAccount)(uid=cfernandez userPassword sn3) # requesting: ALL # # cfernandez, people, consultia.biz dn: uid=cfernandez,ou=people,dc=consultia,dc=biz uid: cfernandez
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
LDAP log looks like this:
Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 ACCEPT from IP=127.0.0.1:34261 (IP=0.0.0.0:389) Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 BIND dn="" method=128 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 RESULT tag=97 err=0 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(objectClass=posixAccount)" Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH attr=uid cfernandez userPassword sn3 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=2 UNBIND Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 closed
i.e. everything looks just fine.
However, if I try to login (BTW the option to allow LDAP users to login is enabled) I see this in the LDAP log:
Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 ACCEPT from IP=127.0.0.1:34263 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 13 16:17:25 cibeles sshd[17880]: Invalid user cfernandez from ::ffff:127.0.0.1 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 closed Dec 13 16:17:25 cibeles slapd[17011]: conn=93 fd=17 ACCEPT from IP=127.0.0.1:34264 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
As you can see, The SRCH attr parameters are different. It looks like it's search for an user whose uid is "userPassword", which obviously returns zero results. The question is why?
More clues: cibeles:~ # getent passwd [..] cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash
cibeles:~ # su - cfernandez su: user cfernandez does not exist
Can anyone shed some light here?
Sean, getent passwd returns this (as expected): cibeles:~ # getent passwd [...] cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash So the user is found (I can't use su to switch to it, though). I didn't modify any file manually, except for the ldif file to create the tree, and slapd.conf. nsswitch.conf looks like: [..] passwd: compat group: compat [...] passwd_compat: ldap group_compat: ldap [...] pam_unix2.conf looks like: auth: use_ldap nullok account: use_ldap password: use_ldap nullok session: none [...] Carlos. Sean OMeara wrote:
What does the output of `getent passwd` return? How did you enable ldap authentication? manually editing nsswitch.conf/pam.conf/this.conf/that.conf or through the yast gui?
-s
Carlos Fernandez Sanz wrote:
I'm trying to use LDAP for user auth. Since I'm new to LDAP (experienced sysadmin though) I tried following the documentation to the letter.
I'm succesfully creating the users in the LDAP database, but apparently PAM (this is what I'm blaming now, but I might be wrong) is not correctly configured and does not search LDAP with the correct parameters.
Given an user "cfernandez" created with yast2, a manual search gives this result:
cibeles:~ # ldapsearch -x -b dc=consultia,dc=biz "(objectClass=posixAccount)(uid=cfernandez userPassword sn3)" # extended LDIF # # LDAPv3 # base
with scope sub # filter: (objectClass=posixAccount)(uid=cfernandez userPassword sn3) # requesting: ALL # # cfernandez, people, consultia.biz dn: uid=cfernandez,ou=people,dc=consultia,dc=biz uid: cfernandez
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
LDAP log looks like this:
Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 ACCEPT from IP=127.0.0.1:34261 (IP=0.0.0.0:389) Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 BIND dn="" method=128 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 RESULT tag=97 err=0 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(objectClass=posixAccount)" Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH attr=uid cfernandez userPassword sn3 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=2 UNBIND Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 closed
i.e. everything looks just fine.
However, if I try to login (BTW the option to allow LDAP users to login is enabled) I see this in the LDAP log:
Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 ACCEPT from IP=127.0.0.1:34263 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 13 16:17:25 cibeles sshd[17880]: Invalid user cfernandez from ::ffff:127.0.0.1 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 closed Dec 13 16:17:25 cibeles slapd[17011]: conn=93 fd=17 ACCEPT from IP=127.0.0.1:34264 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
As you can see, The SRCH attr parameters are different. It looks like it's search for an user whose uid is "userPassword", which obviously returns zero results. The question is why?
More clues: cibeles:~ # getent passwd [..] cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash
cibeles:~ # su - cfernandez su: user cfernandez does not exist
Can anyone shed some light here?
participants (3)
-
Carlos Fernandez Sanz
-
Jason Joines
-
Sean OMeara