[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap Authentication



Hi All,

I have configured a ldap server and trying to login to same ldap server using a ldap user. However, I am not able to login and getting the following in /var/log/secure:

Dec 22 20:06:29 redhat5 sshd[7241]: Invalid user ldapu1 from 192.168.85.1
Dec 22 20:06:31 redhat5 sshd[7242]: input_userauth_request: invalid user ldapu1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): check pass; user unknown
Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.85.1
Dec 22 20:06:37 redhat5 sshd[7241]: pam_succeed_if(sshd:auth): error retrieving information about user ldapu1
Dec 22 20:06:39 redhat5 sshd[7241]: Failed password for invalid user ldapu1 from 192.168.85.1 port 4461 ssh2

Following appears in ldap.log:


Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SRCH base="ou=Users,dc=homeldap,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapu1))"
Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SRCH base="ou=Computers,dc=homeldap,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapu1))"
Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SEARCH RESULT tag=101 err=0 nentries=0 text=

I can see that if I use the ldapsearch with same filter, I am not able to locate the user "ldapu1". However, if I change the filter to (|(objectClass=posixAccount)(uid=ldapu1))", it shows me the ldap user:

=============
[root@redhat5 ~]# ldapsearch -x -b "ou=Users,dc=homeldap,dc=com" -D "cn=Manager,dc=homeldap,dc=com" -W -H "ldap://127.0.0.1/" "(|(objectClass=posixAccount)(uid=ldapu1))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Users,dc=homeldap,dc=com> with scope subtree
# filter: (|(objectClass=posixAccount)(uid=ldapu1))
# requesting: ALL
#

# ldapu1, Users, homeldap.com
dn: cn=ldapu1,ou=Users,dc=homeldap,dc=com
objectClass: inetOrgPerson
cn: ldapu1
sn: ldapu1
uid: ldapu1
userPassword:: bGRhcHV1MQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

=============

Can someone please tell me where I have made a mistake?

-- Is it necessary to create an account on Linux box and then migrate it to ldap?

-- I was just wondering if I can somehow change the default filter from AND to OR at the time of login. I used "pam_filter |objectClass=inetOrgPerson" in ldap.conf however, it didn't change the filter.

Regards,