Troubleshooting this requires more info: 1. What's the OS/Linux-flavour? CentOS/RHEL have a pretty
painless way to enable LDAP auth, AFAIK. 2. I maybe reading the ACLs wrong but you allow anonymous
auth for attribute "userPassword" but for all other attributes, anon
has no rights. How will the auth session read user info from LDAP? - Siddhartha -----Original Message----- I am currently trying to make a ldap server which i can
use to authenticate users. Sadly a large number of how to's are incomplete and
don't work, so after reading alot of how to's and manuals I have got 99.9% of
the way. On attempting to authenticate a user it denies the user access with a
error from auth.log May 4 02:21:08 nemo sshd[1271]: error: PAM:
authentication error for william from 172.20.0.1 I can succesfully search the ldap with this user binding
to the ldap ldapsearch -x -D
"uid=william,ou=Admin,dc=chocolate,dc=lan" -W '(uid=william)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=chocolate,dc=lan> (default) with scope
subtree # filter: (uid=william) # requesting: ALL # # william, Admin, chocolate.lan dn: uid=william,ou=Admin,dc=chocolate,dc=lan uid: william cn: william objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top loginShell: /bin/bash uidNumber: 10000 gidNumber: 10000 homeDirectory: /home/william userPassword::
e1NTSEF9Z3BQd05Lc3JUMWwxSVNhOVQvN1dPb3ZOcnVBSXJwVTE= gecos: William Brown,,,, description: William Brown shadowLastChange: 1 shadowMax: 0 shadowExpire: 0 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Slapd when trying to authenticate shows this. /usr/local/libexec/slapd -4 -d 256 slapd starting conn=0 fd=10 ACCEPT from IP=127.0.0.1:28629
(IP=0.0.0.0:389) conn=0 op=0 BIND dn="" method=128 conn=0 op=0 RESULT tag=97 err=0 text= connection_input: conn=0 deferring operation: binding conn=0 op=1 SRCH
base="ou=Nemo,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixGroup))" conn=0 op=1 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=0 op=2 SRCH
base="ou=Marvin,ou=Group,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixGroup))" conn=0 op=2 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=0 fd=10 closed (connection lost) conn=1 fd=10 ACCEPT from IP=127.0.0.1:43475
(IP=0.0.0.0:389) conn=1 op=0 BIND dn="" method=128 conn=1 op=0 RESULT tag=97 err=0 text= connection_input: conn=1 deferring operation: binding conn=1 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))" conn=1 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 ACCEPT from IP=127.0.0.1:15318
(IP=0.0.0.0:389) conn=2 op=0 BIND dn="" method=128 conn=2 op=0 RESULT tag=97 err=0 text= connection_input: conn=2 deferring operation: binding conn=2 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 op=2 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=william))" conn=2 op=2 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=2 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=2 fd=12 closed (connection lost) conn=3 fd=12 ACCEPT from IP=127.0.0.1:63485
(IP=0.0.0.0:389) conn=3 op=0 BIND dn="" method=128 conn=3 op=0 RESULT tag=97 err=0 text= connection_input: conn=3 deferring operation: binding conn=3 op=1 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=1 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 op=2 SRCH
base="ou=Admin,dc=chocolate,dc=lan" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=william))" conn=3 op=2 SRCH attr=uid userPassword uidNumber
gidNumber cn homeDirectory loginShell gecos description objectClass
shadowLastChange shadowMax shadowExpire <= bdb_equality_candidates: (uid) not indexed conn=3 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=3 fd=12 closed (connection lost) conn=1 fd=10 closed (connection lost) Here is my /etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.srv.chocolate.lan ldap_version 3 rootbinddn cn=Manager,dc=chocolate,dc=lan scope one timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_check_host_attr no pam_member_attribute memberuid pam_password exop nss_reconnect_tries 4
# number of times to double the sleep time nss_reconnect_sleeptime
1
# initial sleep value nss_reconnect_maxsleeptime 16 # max sleep
value to cap at nss_reconnect_maxconntries 2 # how many
tries before sleeping nss_base_passwd
ou=Admin,dc=chocolate,dc=lan?one nss_base_passwd
ou=People,dc=chocolate,dc=lan?one nss_base_shadow
ou=Admin,dc=chocolate,dc=lan?one nss_base_shadow
ou=People,dc=chocolate,dc=lan?one nss_base_group
ou=Nemo,ou=Group,dc=chocolate,dc=lan?one nss_base_group
ou=Marvin,ou=Group,dc=chocolate,dc=lan?one ssl off Here is /etc/openldap/slapd.conf include
/usr/local/etc/openldap/schema/core.schema include
/usr/local/etc/openldap/schema/cosine.schema include
/usr/local/etc/openldap/schema/inetorgperson.schema include
/usr/local/etc/openldap/schema/nis.schema pidfile
/var/run/openldap/slapd.pid argsfile
/var/run/openldap/slapd.args modulepath
/usr/local/libexec/openldap moduleload back_bdb access to attrs=userPassword by
dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write by anonymous auth by self write by * none access to * by self write by users read database bdb suffix
"dc=chocolate,dc=lan" rootdn
"cn=Manager,dc=chocolate,dc=lan" rootpw
{SSHA}pG0QHakwiNmJHXcyTB5H4RQtoDAGbEsm directory
/var/db/openldap-data index objectClass eq index uid eq password-hash {SSHA} Here is the /etc/openldap/ldap.conf from both the client
and server BASE dc=chocolate,dc=lan URI ldap://ldap.srv.chocolate.lan Any help with this would be greatly appreciated William |