Re: [SLE] Using LDAP for user authentification

What does the output of `getent passwd` return? How did you enable ldap authentication? manually editing nsswitch.conf/pam.conf/this.conf/that.conf or through the yast gui? -s Carlos Fernandez Sanz wrote:

I'm trying to use LDAP for user auth. Since I'm new to LDAP (experienced sysadmin though) I tried following the documentation to the letter.

I'm succesfully creating the users in the LDAP database, but apparently PAM (this is what I'm blaming now, but I might be wrong) is not correctly configured and does not search LDAP with the correct parameters.

Given an user "cfernandez" created with yast2, a manual search gives this result:

cibeles:~ # ldapsearch -x -b dc=consultia,dc=biz "(objectClass=posixAccount)(uid=cfernandez userPassword sn3)" # extended LDIF # # LDAPv3 # base with scope sub # filter: (objectClass=posixAccount)(uid=cfernandez userPassword sn3) # requesting: ALL #

# cfernandez, people, consultia.biz dn: uid=cfernandez,ou=people,dc=consultia,dc=biz uid: cfernandez

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

LDAP log looks like this:

Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 ACCEPT from IP=127.0.0.1:34261 (IP=0.0.0.0:389) Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 BIND dn="" method=128 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=0 RESULT tag=97 err=0 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(objectClass=posixAccount)" Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SRCH attr=uid cfernandez userPassword sn3 Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 13 16:15:06 cibeles slapd[17011]: conn=91 op=2 UNBIND Dec 13 16:15:06 cibeles slapd[17011]: conn=91 fd=17 closed

i.e. everything looks just fine.

However, if I try to login (BTW the option to allow LDAP users to login is enabled) I see this in the LDAP log:

Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 ACCEPT from IP=127.0.0.1:34263 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=92 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 13 16:17:25 cibeles sshd[17880]: Invalid user cfernandez from ::ffff:127.0.0.1 Dec 13 16:17:25 cibeles slapd[17011]: conn=92 fd=17 closed Dec 13 16:17:25 cibeles slapd[17011]: conn=93 fd=17 ACCEPT from IP=127.0.0.1:34264 (IP=0.0.0.0:389) Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 BIND dn="" method=128 Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=0 RESULT tag=97 err=0 text= Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH base="dc=consultia,dc=biz" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=cfernandez))" Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 13 16:17:25 cibeles slapd[17011]: conn=93 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

As you can see, The SRCH attr parameters are different. It looks like it's search for an user whose uid is "userPassword", which obviously returns zero results. The question is why?

More clues: cibeles:~ # getent passwd [..] cfernandez:x:1000:100:Carlos Fernandez:/home/cfernandez:/bin/bash

cibeles:~ # su - cfernandez su: user cfernandez does not exist

Can anyone shed some light here?