[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap problems authenticating

To: openldap-technical@openldap.org
Subject: openldap problems authenticating
From: Tim Dunphy <bluethundr@gmail.com>
Date: Tue, 22 Feb 2011 17:52:40 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=yEF1KQuS9sybmOVM+u6cpae4ADVf4Q/ckPJQoePe/qk=; b=QkAp2eLi9JOxCNv+9isyMwpxguPGhrUwiQicsWu57E/b6w22aG2cICHx4M/BTConeE LlE1CZOsmwpYMTc5hrhwDmrlqd1shhwHn4zWr8jsFQ30ko1EAsvfo5cRt/wdNXKdu4mA FFAnm1hOFTxWDiNbaCZVfKoBfAiH9KnQIyMc4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=DXqBA5zGuC+1e0vgrWyuHYJWthPaN1qFDxYC/B9yQlOeH6uX2AE/uBslzcqw3iLQ6g Ixg0ptcvXxaWf5D09PSU3kHNH6I1U8qgnG5xAHYlggLOZsf/q+WZEOuniOJrLVJ8Wk+c srlqIJFPEqYVPC3uGk+WF7Ka2A+tjDPdgdcss=

Hello list,

I am running an openldap 2.4 server under FreeBSD that was working
well until the config was tweaked by someone on the team without
properly documenting their work

# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)

host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com


# grep for ldap account shows ldap account on the ldap server itself succeeds

[root@LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
[root@LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
[root@LBSD2:/usr/local/etc/openldap] #





# /etc/ldap.conf on ldap client (centos 5.5)

host LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {crypt}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com

# grep getent passwd for ldap account on the client nothing turns up
after a long pause


[root@LCENT01:~] #getent passwd | grep walbs
[root@LCENT01:~] #


# nsswitch on the client

passwd:     files ldap
shadow:     files ldap
group:      files ldap
sudoers:    ldap
#hosts:     db files nisplus nis dns
hosts:      files dns


# this is what's going on in the logs on the ldap server during th
getent from the #client

Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
IP=192.168.1.42:53811 (IP=192.168.1.44:389)
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed

#ldap search from the client as the pam services account is able to
locate the ldap user info

[root@LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap
,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com'
 '(uid=walbs)'
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (uid=walbs)
# requesting: ALL
#



# walbs, People, summitnjhome.com
dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
uid: walbs
cn: Walkiria Soares
givenName: Walkiria
sn: Soares
mail: walbs@example.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 1003

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


#pam_ldap services account in the ldap directory

3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}secret


I have also tried doing anonymous binds on the client as well as using
plain text passwords. I get the same tag=97 err=49 messages on the
client either way.

This is the ldap software I have on the FreeBSD server:

LBSD2# pkg_info | grep -i ldap
ldapvi-1.7_2        A tool to update LDAP entries with a text editor
openldap-sasl-client-2.4.23 Open source LDAP client implementation
with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5      A pam module for authenticating with LDAP

And this is what I am using on the Centos 5.5 client:

[root@LCENT01:~] #rpm -qa | grep -i ldap
python-ldap-2.2.0-2.1
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
ldapvi-1.7-10.el5
php-ldap-5.1.6-27.el5
openldap-clients-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5




Some advice is sorely needed here. Thank you very kindly in advance!

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Follow-Ups:
- Re: openldap problems authenticating
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Advise on distributed directory service
Next by Date: Re: openldap problems authenticating
Index(es):
- Chronological
- Thread