Re: problem in LDAP authentication using PAM.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thierry,

 

I understand that the ldapsearch –b ="ou=people,o=test,o=suffix" –D <…> -w <…> -x –s sub ="(&(objectClass=<xyz>)(uid=testuser))" , using the credentials specified in ldap.conf, does return the object. This said, the aci seems to be correct.

 

-Reinhard

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of thierry bordaz
Sent: Friday, May 24, 2013 12:34 PM
To: Shriram M
Cc: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] problem in LDAP authentication using PAM.

 

On 05/24/2013 03:55 PM, Shriram M wrote:

Hi Dan,

                Sorry for the typo error. It’s not sssd it is sshd.

I am using nscd daemon. I tried to debug the nss_ldap by placing log level in /etc/ldap.conf file. I observed that ldap server connection is getting established and accepting the request from nss_ldap[which requests the user info by placing the uid]. But ldap is neither responding with the  error message nor successful message.

 

access log

[22/May/2013:13:38:13 +0000] conn=44 op=18 SRCH base="ou=people,o=test,o=suffix" scope=2 filter="(&(objectClass=<xyz>)(uid=testuser))" attrs="uid uidNumber gidNumber "

[22/May/2013:13:38:13 +0000] conn=44 op=18 RESULT err=0 tag=101 nentries=0 etime=0


Hi Shriram,

Could you confirm that searched entry has "objectclass: <xyz>"  ?
Having disabled anonymous-access, the above session was authenticated. If there is an entry that matches the filter but that is not returned, I guess it is an issue with the aci definition that prevents the bound user to lookup the entry (or read the filter attributes).

regards
thierry

 

From the above ldap search operation nentries is zero. But the user is present in the ldap the same was verified by executing ldapsearch command.

 

Steps to replicate this behavior

                1. disable(off) access nsslapd-anonymous-access

                2.  modify the aci(access control information) for the base dn by introducing a dn with password to bind with ldap.

                3. provide the modified aci informations  in /etc/ldap.cconf with appropriate binddn and bindpw.

                4 . create a user in ldap so that ssh login should communicate to ldap via PAM.

5.  configure appropriate configuration[/etc/pam.d]  for PAM to authenticate the users.

               

Thanks,

Shriram.

 

 

From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dan Lavu
Sent: Thursday, May 23, 2013 5:56 AM
To: General discussion list for the 389 Directory server project.
Cc: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [389-users] problem in LDAP authentication using PAM.

 

Shriram,

 

Use NSCD or SSSD not both, while NSCD is a caching daemon and SSSD has a caching daemon they will conflict. 

 

Dan

 

On May 22, 2013, at 4:18 AM, Shriram M <mshriram@xxxxxxxxxxx> wrote:




Hi All,

I am trying LDAP authentication for users logged in CentOS by PAM. Also I have disabled(off) nsslapd-anonymous-access flag to restrict anonymous access by providing the binddn and bindpw.

I have changed binddn and bindpw in /etc/ldap.conf for PAM to bind with LDAP to authenticate user.

ie) When a user is trying to ssh pam will be communicated to bind with LDAP by reading /etc/ldap.conf to bind with LDAP to authenticate the corresponding user.

User authentication is not working every time. ie)some time the user is authenticated and sometimes the user is not authenticated.

i have verified the tools 389 FDS, nscd ,ssd, are properly running  in CentOS.

I have tried by doing ldapsearch for the corresponding user. The result shows the user properly.

 

Thanks

Shriram.

 

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

 




--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

 

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux