[PLUG] LDAP login/authentication problems, unable to log in.
Eli Stair
eli.stair.lists at attbi.com
Thu Aug 15 23:18:21 UTC 2002
Hello all,
I'm having an issue getting a client to use an LDAP server for login
authentication. In a nutshell: LDAP server (RH 7.3) is running slapd
providing passwd,groups and shadow (using OpenLDAP 2.0.13). One set of
clients (actually LTSP diskless clients) work fine, authorize against
the LDAP server OK. The problem system is configured similarly
(ldap.conf,nss_ldap,pam_ldap), and I can do an ldapsearch, run gq or
Directory Administrator with the credentials it uses for auth (root OR
proxyuser).
What happens is this:
If the client is _NOT_ configured with "ldap" in any fields in nsswitch,
I can boot, log in, su etc just as if everything were configured normally
(i.e. without LDAP), EXCEPT that it makes a BIND to the ldap server
(shown in /var/log/ldap on the server). The login/su whatever completes
fine as if it were merely checking the flatfiles.
When I set "ldap" for passwd, groups and shadow in /etc/nsswitch, I get
logged in as my current user (estair) fine, and it (seems) to auth against
the ldap server. However, I cannot su to any other user. If I try to su
root: with incorrect password says "incorrect password", and the client log
shows: --(the LDAP log on the server is listed at the end of this email)--
~~~~~~~~
Padmasambhava su: pam_ldap: error trying to bind as user "uid=root,ou=People,dc=homeunix, dc=net" (Invalid credentials)
Padmasambhava su(pam_unix)[7031]: check pass; user unknown
Padmasambhava su(pam_unix)[7031]: authentication failure; logname=estair uid=501 euid=0 tty= ruser= rhost=
Padmasambhava gconfd (estair-6978): GConf server is not in use, shutting down.
Padmasambhava gconfd (estair-6978): Exiting
~~~~~~~~
A correct password segfaults the su attempt, and returns to a user shell.
(log output for that from the LDAP server shown below also)
I'll be more than happy to supply more details, log entries, config files,
try anything out, etc. if it would help. It seems to me to just be a
permissions issue with doing an auth, although I don't see how given what
I have for access. I really can't get a grasp on how nss_ldap and pam_ldap
interact, even after reading the LDAP-HOWO, LDAP-Ipmlementation howto and
the Admin. guide, there isn't enough "clear" documentation of how it all
works together (at least for ME to understand the whole).
Once I work this out, I'm sure I'll get it though.... :)
Cheers, and thanks for any input guys (and gals)
/eli
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
portions of slapd.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ACL's
database ldbm
suffix "dc=homeunix, dc=net"
rootdn "cn=root, dc=homeunix, dc=net"
rootpw secret
# pam_passwd type is "clear" (for testing)
access to dn=".*,dc=homeunix,dc=net" attr=userPassword
by dn="cn=root,dc=homeunix,dc=net" write
by dn="cn=proxyuser,dc=homeunix,dc=net" read
by dn="cn=proxyuser,dc=homeunix,dc=net" auth
by self write
by * auth
access to dn=".*,ou=People,dc=homeunix,dc=net"
by * read
by * auth
access to dn=".*,dc=homeunix,dc=net"
by self write
by * read
by * auth
defaultaccess auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LDAP Server Log output from a new login (opening an xterm)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
daemon: conn=26 fd=9 connection from IP=10.10.0.199:33352 (IP=0.0.0.0:34049) accepted.
conn=26 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=26 op=0 RESULT tag=97 err=0 text=
conn=26 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=0))"
conn=26 op=1 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=9 closed
daemon: conn=27 fd=9 connection from IP=10.10.0.199:33353 (IP=0.0.0.0:34049) accepted.
conn=27 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=27 op=0 RESULT tag=97 err=0 text=
conn=27 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=27 op=1 SEARCH RESULT tag=101 err=0 text=
conn=27 op=2 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=27 op=2 SEARCH RESULT tag=101 err=0 text=
daemon: conn=28 fd=15 connection from IP=10.10.0.199:33354 (IP=0.0.0.0:34049) accepted.
conn=28 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=28 op=0 RESULT tag=97 err=0 text=
conn=28 op=1 SRCH base="dc=homeunix,dc=net" scope=1 filter="(uid=estair)"
conn=28 op=1 SEARCH RESULT tag=101 err=0 text=
conn=28 op=2 SRCH base="ou=Group,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixGroup)(memberUid=estair))"
conn=28 op=2 SEARCH RESULT tag=101 err=0 text=
conn=28 op=3 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=28 op=3 SEARCH RESULT tag=101 err=0 text=
daemon: conn=29 fd=18 connection from IP=10.10.0.199:33355 (IP=0.0.0.0:34049) accepted.
conn=29 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=29 op=0 RESULT tag=97 err=0 text=
deferring operation
conn=29 op=1 SRCH base="dc=homeunix,dc=net" scope=1 filter="(uid=estair)"
conn=29 op=1 SEARCH RESULT tag=101 err=0 text=
conn=29 op=2 SRCH base="ou=Group,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixGroup)(memberUid=estair))"
conn=29 op=2 SEARCH RESULT tag=101 err=0 text=
daemon: conn=30 fd=22 connection from IP=10.10.0.199:33356 (IP=0.0.0.0:34049) accepted.
conn=-1 fd=18 closed
conn=30 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=30 op=0 RESULT tag=97 err=0 text=
deferring operation
conn=30 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=30 op=1 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=15 closed
conn=-1 fd=22 closed
daemon: conn=31 fd=15 connection from IP=10.10.0.199:33357 (IP=0.0.0.0:34049) accepted.
conn=31 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=31 op=0 RESULT tag=97 err=0 text=
deferring operation
conn=31 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=31 op=1 SEARCH RESULT tag=101 err=0 text=
daemon: conn=32 fd=18 connection from IP=10.10.0.199:33358 (IP=0.0.0.0:34049) accepted.
conn=32 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=32 op=0 RESULT tag=97 err=0 text=
deferring operation
conn=32 op=1 SRCH base="ou=Group,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixGroup)(gidNumber=501))"
conn=32 op=1 SEARCH RESULT tag=101 err=0 text=
daemon: conn=33 fd=22 connection from IP=10.10.0.199:33359 (IP=0.0.0.0:34049) accepted.
conn=-1 fd=18 closed
conn=33 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=33 op=0 RESULT tag=97 err=0 text=
deferring operation
conn=33 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=501))"
conn=33 op=1 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=22 closed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LDAP Server Log output from an incorrect password for "su"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
daemon: conn=34 fd=18 connection from IP=10.10.0.199:33360 (IP=0.0.0.0:34049) accepted.
conn=34 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=34 op=0 RESULT tag=97 err=0 text=
conn=34 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=root))"
conn=34 op=1 SEARCH RESULT tag=101 err=0 text=
daemon: conn=35 fd=22 connection from IP=10.10.0.199:33361 (IP=0.0.0.0:34049) accepted.
conn=35 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=35 op=0 RESULT tag=97 err=0 text=
conn=35 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixaccount)(uid=root))"
conn=35 op=1 SEARCH RESULT tag=101 err=0 text=
conn=35 op=2 BIND dn="UID=ROOT,OU=PEOPLE,DC=HOMEUNIX,DC=NET" method=128
conn=35 op=2 RESULT tag=97 err=49 text=
conn=35 op=3 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=35 op=3 RESULT tag=97 err=0 text=
conn=34 op=2 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=root))"
conn=34 op=2 SEARCH RESULT tag=101 err=0 text=
conn=34 op=3 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=shadowAccount)(uid=root))"
conn=34 op=3 SEARCH RESULT tag=101 err=0 text=
conn=35 op=4 UNBIND
conn=-1 fd=22 closed
conn=-1 fd=18 closed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LDAP Server Log output from a correct password for "su"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
daemon: conn=36 fd=18 connection from IP=127.0.0.1:33014 (IP=0.0.0.0:34049) accepted.
conn=36 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=36 op=0 RESULT tag=97 err=0 text=
conn=36 op=1 SRCH base="dc=homeunix,dc=net" scope=1 filter="(uid=root)"
conn=36 op=1 SEARCH RESULT tag=101 err=0 text=
conn=36 op=2 SRCH base="ou=Group,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixGroup)(memberUid=root))"
conn=36 op=2 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=18 closed
daemon: conn=37 fd=18 connection from IP=10.10.0.199:33362 (IP=0.0.0.0:34049) accepted.
conn=37 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=37 op=0 RESULT tag=97 err=0 text=
conn=37 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixAccount)(uid=root))"
conn=37 op=1 SEARCH RESULT tag=101 err=0 text=
daemon: conn=38 fd=21 connection from IP=10.10.0.199:33363 (IP=0.0.0.0:34049) accepted.
conn=38 op=0 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=38 op=0 RESULT tag=97 err=0 text=
conn=38 op=1 SRCH base="ou=People,dc=homeunix,dc=net" scope=1 filter="(&(objectClass=posixaccount)(uid=root))"
conn=38 op=1 SEARCH RESULT tag=101 err=0 text=
conn=38 op=2 BIND dn="UID=ROOT,OU=PEOPLE,DC=HOMEUNIX,DC=NET" method=128
conn=38 op=2 RESULT tag=97 err=0 text=
conn=38 op=3 BIND dn="CN=PROXYUSER,DC=HOMEUNIX,DC=NET" method=128
conn=38 op=3 RESULT tag=97 err=0 text=
conn=-1 fd=18 closed
conn=-1 fd=21 closed
More information about the PLUG
mailing list