Nabble - PAM LDAP

pam_ldap-185

2009-11-06T02:29:44Z

185 Luke Howard <lukeh@padlcom>

* fix for BUG#232: LDAP write on userPassword fails

when chasing referral and cached policy error is

POLICY_ERROR_PASSWORD_EXPIRED

* fix for BUG#366: only request attributes that are

actually used

* fix for BUG#394: canonicalize PAM_USER name

www.padl.com | www.fghr.net

pam_ldap fails but ldappasswd works

2009-10-14T02:43:07Z

Hi,

pam_ldap fails to authenticate a user (trying to login with ssh). auth.log says:

Oct 14 05:36:24 hoadms004 sshd[5734]: Invalid user abraham from 127.0.0.1
Oct 14 05:36:24 hoadms004 sshd[5734]: Failed none for invalid user abraham from
127.0.0.1 port 55946 ssh2
Oct 14 05:36:28 hoadms004 sshd[5734]: pam_ldap: error trying to bind as user "uid=abraham,ou=people,dc=cpttm,dc=org,dc=mo" (Invalid credentials)

However, I can use ldappasswd to change that user's password while binding as
that user:

ldappasswd -x -D "uid=abraham,ou=people,dc=cpttm,dc=org,dc=mo" -W
-H ldaps://ldap1.cpttm/ -A -S "uid=abraham,ou=people,dc=cpttm,dc=org,dc=mo"

ldapsearch also works fine:

ldapsearch -x -D "uid=abraham,ou=people,dc=cpttm,dc=org,dc=mo" -W
-H ldaps://ldap1.cpttm/

any idea?

--
Kent Tong
Wicket tutorials freely available at http://www.agileskills2.org/EWDW
Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA

Change auth. window to web form page

2009-10-04T03:05:35Z

hi all,
i'm a newbie in Apache development world,
i have a problem which i wish to find a solution for,
i need to take user name and password from web form (text boxes) instead of taking from windows popup window and check them through with stored in ldap.

how can i deserve that,

hay, i forgot to mention that iam using php 5 , Apache Directory Studio , and Apache 2.2 , windows xp

thanks in advance
Amira

Edit/Delete Message

RE: eDir w/ AIX

2009-09-11T09:43:57Z

> We don't want the native stuff, b/c it requires managing users w/support in
> the remote schema. We were simply wanting to do LDAP auth and still manage
> users/groups locally on AIX. Only way we can find to do this is via nss_ldap.
> More's the pity...

Local group management was our original idea too, but AIX has not been cooperative.

Mark Merchant
Unix Systems Admin, Huntington Banks
7 Easton Oval, Cols, Oh 43219
tel:614-331-9806 cel:614-917-8218 pag:614-917-8218

How quickly daft jumping zebras vex.

From:	"Gary Bennett" <benngl@...>
To:	"Mark.Merchant@..." <Mark.Merchant@...>, "Kyle Chapman" <Kyle.Chapman@...>
Cc:	"pamldap@..." <pamldap@...>
Date:	09/11/2009 12:39 PM
Subject:	RE: [pamldap] eDir w/ AIX

We don't want the native stuff, b/c it requires managing users w/support in the remote schema. We were simply wanting to do LDAP auth and still manage users/groups locally on AIX. Only way we can find to do this is via nss_ldap. More's the pity... >>> Kyle Chapman <Kyle.Chapman@...> 9/11/2009 12:35 PM >>> i have on 5.3 and down, though after tl5 with 5.3 i use the native stuff to talk to ad or openldap. ________________________________ From: owner-pamldap@... [owner-pamldap@...] On Behalf Of Mark.Merchant@... Sent: Friday, September 11, 2009 11:27 AM To: Gary Bennett Cc: pamldap@... Subject: Re: [pamldap] eDir w/ AIX Yes, we had issues compiling nss_ldap on AIX, so we're using the native stuff. The problem is that AIX produces a query that looks something like this: (&(objectclass=posixgroup)\ (|(member=cn=hb92657,ou=aix,ou=unix,ou=datacenter,ou=hnbauth)(member=hb92657))) Which eDir rejects because the last member= clause is not formatted like a dn It's a little off topic for this list, I was just wondering if anyone was using eDir or another directory where schema checking is enforced on the query. Thx. p.s. if anyone has gotten a clean compile on AIX, I'd love know how ;) Mark Merchant Unix Systems Admin, Huntington Banks 7 Easton Oval, Cols, Oh 43219 tel:614-331-9806 cel:614-917-8218 pag:614-917-8218 How quickly daft jumping zebras vex. From: "Gary Bennett" <benngl@...> To: <Mark.Merchant@...> Date: 09/11/2009 11:14 AM Subject: Re: [pamldap] eDir w/ AIX ________________________________ Mark, do you have to run nss_ldap for AIX to auth against other sources? We've had issues w/compiling on 5.3 or 6.1. TIA. gary gary bennett shands hospital at uf information services >>> <Mark.Merchant@...> 9/11/2009 9:18 AM >>> Is anyone running against Novell's eDir? We've run up against a strange issue. It appears that eDir does a schema check against incoming queries. I've never seen a directory do that before. Any ideas on how to get around it? Thx. Mark Merchant Unix Systems Admin, Huntington Banks 7 Easton Oval, Cols, Oh 43219 tel:614-331-9806 cel:614-917-8218 pag:614-917-8218 How quickly daft jumping zebras vex.

Re: eDir w/ AIX

2009-09-11T08:26:45Z

Yes, we had issues compiling nss_ldap on AIX, so we're using the native stuff.
The problem is that AIX produces a query that looks something like this:

(&(objectclass=posixgroup)\
(|(member=cn=hb92657,ou=aix,ou=unix,ou=datacenter,ou=hnbauth)(member=hb92657)))

Which eDir rejects because the last member= clause is not formatted like a dn

It's a little off topic for this list, I was just wondering if anyone was using eDir or another
directory where schema checking is enforced on the query.

Thx.

p.s. if anyone has gotten a clean compile on AIX, I'd love know how ;)

Mark Merchant
Unix Systems Admin, Huntington Banks
7 Easton Oval, Cols, Oh 43219
tel:614-331-9806 cel:614-917-8218 pag:614-917-8218

How quickly daft jumping zebras vex.

From:	"Gary Bennett" <benngl@...>
To:	<Mark.Merchant@...>
Date:	09/11/2009 11:14 AM
Subject:	Re: [pamldap] eDir w/ AIX

Mark, do you have to run nss_ldap for AIX to auth against other sources? We've had issues w/compiling on 5.3 or 6.1. TIA. gary gary bennett shands hospital at uf information services >>> <Mark.Merchant@...> 9/11/2009 9:18 AM >>> Is anyone running against Novell's eDir? We've run up against a strange issue. It appears that eDir does a schema check against incoming queries. I've never seen a directory do that before. Any ideas on how to get around it? Thx. Mark Merchant Unix Systems Admin, Huntington Banks 7 Easton Oval, Cols, Oh 43219 tel:614-331-9806 cel:614-917-8218 pag:614-917-8218 How quickly daft jumping zebras vex.

eDir w/ AIX

2009-09-11T06:18:39Z

Is anyone running against Novell's eDir? We've run up against a strange
issue. It appears that eDir does a schema check against incoming queries.
I've never seen a directory do that before. Any ideas on how to get around it?

Thx.

Mark Merchant
Unix Systems Admin, Huntington Banks
7 Easton Oval, Cols, Oh 43219
tel:614-331-9806 cel:614-917-8218 pag:614-917-8218

How quickly daft jumping zebras vex.

Re: trouble compiling pam_ldap under solaris 2.9

2009-08-26T04:01:02Z

Hello Mark,

[RESEND: I forgot to attach a patch, without this patch it was
compiling, but failed to run because it couldn't determine the symbold
on runtime very nasty to track down because everything appears to be
fine, but it doesn't work at all.]

* Mark.Merchant@... <Mark.Merchant@...> [090825 21:00]:
> any ideas? thx.

the following works and give you a nss_ldap with as much statically linked
stuff as possible but you need to download the dependencies. In addition to
that I insalled a recent version of forte 12 for compiling and gmake from
blastwave.

export CC=cc
export CXX=CC
export PATH="/local/forte12/SUNWspro/bin:/usr/ccs/bin:/usr/bin:/opt/csw/bin"

(
cd Libnet-1.0.2a
./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

export LDFLAGS='-L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib'
export CPPFLAGS='-I/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/include'

(
cd openssl-0.9.8c
./Configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies shared solaris-x86-cc
gmake
gmake install
)

(
cd krb5-1.4.4/src
./configure --enable-static --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --exec-prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

(
cd cyrus-sasl-2.1.22
./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --with-staticsasl
gmake
gmake install
)

(
cd db-4.5.20/build_unix
../dist/configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --disable-shared
gmake
gmake install
)

(
cd openldap-2.3.39
LIBS="-lrt" ./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

(
cd nss_ldap-260
./configure --exec-prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --enable-schema-mapping --enable-rfc2307bis --enable-configurable-krb5-ccname-gssapi
gmake
cc -g -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib -o nss_ldap.so -Bdirect -z nodelete -Bdynamic -M ./exports.solaris -G ldap-nss.o ldap-pwd.o ldap-grp.o ldap-netgrp.o ldap-rpc.o ldap-hosts.o ldap-network.o ldap-proto.o ldap-spwd.o ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o ldap-bp.o ldap-automount.o util.o ltf.o snprintf.o resolve.o dnsconfig.o irs-nss.o pagectrl.o ldap-sldap.o ldap-init-krb5-cache.o -Bstatic -lldap -llber -lsasl2 -Bstatic -lssl -lcrypto -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -ldl -lsocket -lnsl -lresolv
)

# cc -o pam_krb5.so -G -xldscope=symbolic -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib api-account.o api-auth.o api-password.o api-session.o auth.o compat.o context.o logging.o options.o prompting.o support.o -L/usr/lib -R/usr/lib -Bstatic -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -lpam -lresolv -lsocket -lnsl

Thomas

# vim: ft=perl

$progname = 'nss_ldap';
$version = '260';

my $libnet_version = '1.0.2a';
my $openssl_version = '0.9.8c';
my $krb5_version = '1.4.4';
my $sasl_version = '2.1.22';
my $openldap_version = '2.3.39';
my $berkeley_version = '4.5.20';

# TODO: Search for krb5.conf in /etc/krb5/krb5.conf
# At the moment it tries the following two paths:
# /etc/krb5.conf
# /var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/krb5.conf

# ldap.conf wird auch an einer komischen Stelle gesucht, ist aber wahrscheinlich egal:
# open("/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/openldap/ldap.conf", O_RDONLY) Err#2 ENOENT
# stat("/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/krb5.conf", 0xFFBFE798) Err#2 ENOENT

$buildroot = "${builddir}/${progname}-${version}-buildroot";

$category = 'application';
$vendor = 'http://www.padl.com/ packaged by Thomas Glanzmann';

@sources = ("${progname}.tgz",
"libnet-${libnet_version}.tar.gz",
"openssl-${openssl_version}.tar.gz",
"krb5-${krb5_version}.tar.gz",
"cyrus-sasl-${sasl_version}.tar.gz",
"openldap-${openldap_version}.tar.gz",
"db-${berkeley_version}.tar.gz",
);

@patches = (['nss_ldap.patch', "${progname}-${version}", '-p1']);

@packages = ({
pkgname => 'nssldap',
filename => 'nss_ldap',
name => "nssldap - retrieve system databases from LDAP directories",
dependencies => [],
filelist => [qw(usr)]
});

$copyright = "${progname}-${version}/COPYING";

$build = <<"EOF";
export CC=cc
export CXX=CC
export PATH="${sunwspropath}:/usr/ccs/bin:/usr/bin:/opt/csw/bin"

(
cd Libnet-${libnet_version}
./configure --prefix=${buildroot}/dependencies
gmake
gmake install
)

export LDFLAGS='-L${buildroot}/dependencies/lib'
export CPPFLAGS='-I${buildroot}/dependencies/include'

(
cd openssl-${openssl_version}
./Configure --prefix=${buildroot}/dependencies shared solaris-x86-cc
gmake
gmake install
)

(
cd krb5-${krb5_version}/src
./configure --enable-static --prefix=${buildroot}/dependencies --exec-prefix=${buildroot}/dependencies
gmake
gmake install
)

(
cd cyrus-sasl-${sasl_version}
./configure --prefix=${buildroot}/dependencies --with-staticsasl
gmake
gmake install
)

(
cd db-${berkeley_version}/build_unix
../dist/configure --prefix=${buildroot}/dependencies --disable-shared
gmake
gmake install
)

(
cd openldap-${openldap_version}
LIBS="-lrt" ./configure --prefix=${buildroot}/dependencies
gmake
gmake install
)

(
cd ${progname}-${version}
./configure --exec-prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --enable-schema-mapping --enable-rfc2307bis --enable-configurable-krb5-ccname-gssapi
gmake
cc -g -L${buildroot}/dependencies/lib -o nss_ldap.so -Bdirect -z nodelete -Bdynamic -M ./exports.solaris -G ldap-nss.o ldap-pwd.o ldap-grp.o ldap-netgrp.o ldap-rpc.o ldap-hosts.o ldap-network.o ldap-proto.o ldap-spwd.o ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o ldap-bp.o ldap-automount.o util.o ltf.o snprintf.o resolve.o dnsconfig.o irs-nss.o pagectrl.o ldap-sldap.o ldap-init-krb5-cache.o -Bstatic -lldap -llber -lsasl2 -Bstatic -lssl -lcrypto -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -ldl -lsocket -lnsl -lresolv
)

# cc -o pam_krb5.so -G -xldscope=symbolic -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib api-account.o api-auth.o api-password.o api-session.o auth.o compat.o context.o logging.o options.o prompting.o support.o -L/usr/lib -R/usr/lib -Bstatic -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -lpam -lresolv -lsocket -lnsl
EOF

commit 13e89c8747ce5b71966cce2afa28b9f6212ff568
Author: Thomas Glanzmann <sithglan@...>
Date: Fri May 9 07:50:16 2008 +0200

make crap work

diff --git a/ldap-sldap.c b/ldap-sldap.c
index 5f8f85f..0af8b67 100644
--- a/ldap-sldap.c
+++ b/ldap-sldap.c
@@ -247,7 +247,9 @@ __ns_ldap_getParam (const ParamIndexType type, void ***data,
break;
}

+#if 0
debug ("<== __ns_ldap_getParam (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -566,8 +568,10 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,
{
__ns_ldap_freeEntry (&entry);
cookie->ret = ret;
+#if 0
debug ("<== __ns_ldap_parseEntry (failed to init result: %s)",
NS_LDAP_ERR2STR (ret));
+#endif
return __ns_ldap_mapError (ret);
}
cookie->result->entry = entry;
@@ -597,7 +601,9 @@ __ns_ldap_parseEntry (LDAPMessage * msg, ldap_state_t * state,

cookie->ret = ret;

+#if 0
debug ("<== __ns_ldap_parseEntry (ret=%s)", NS_LDAP_ERR2STR (ret));
+#endif

return __ns_ldap_mapError (ret);
}
@@ -1150,8 +1156,10 @@ __ns_ldap_firstEntry (const char *service,

*pCookie = cookie;

+#if 0
debug ("<== __ns_ldap_firstEntry ret=%s cookie=%p", NS_LDAP_ERR2STR (ret),
cookie);
+#endif

return ret;
}
@@ -1185,7 +1193,9 @@ __ns_ldap_nextEntry (void *_cookie,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_nextEntry ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}
@@ -1273,7 +1283,9 @@ __ns_ldap_list (const char *map,

_nss_ldap_leave ();

+#if 0
debug ("<== __ns_ldap_list ret=%s", NS_LDAP_ERR2STR (ret));
+#endif

return ret;
}

Re: trouble compiling pam_ldap under solaris 2.9

2009-08-26T01:06:34Z

Hello Mark,

* Mark.Merchant@... <Mark.Merchant@...> [090825 21:00]:
> any ideas? thx.

the following works and give you a nss_ldap with as much statically linked
stuff as possible but you need to download the dependencies. In addition to
that I insalled a recent version of forte 12 for compiling and gmake from
blastwave.

export CC=cc
export CXX=CC
export PATH="/local/forte12/SUNWspro/bin:/usr/ccs/bin:/usr/bin:/opt/csw/bin"

(
cd Libnet-1.0.2a
./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

export LDFLAGS='-L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib'
export CPPFLAGS='-I/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/include'

(
cd openssl-0.9.8c
./Configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies shared solaris-x86-cc
gmake
gmake install
)

(
cd krb5-1.4.4/src
./configure --enable-static --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --exec-prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

(
cd cyrus-sasl-2.1.22
./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --with-staticsasl
gmake
gmake install
)

(
cd db-4.5.20/build_unix
../dist/configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies --disable-shared
gmake
gmake install
)

(
cd openldap-2.3.39
LIBS="-lrt" ./configure --prefix=/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies
gmake
gmake install
)

(
cd nss_ldap-260
./configure --exec-prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --enable-schema-mapping --enable-rfc2307bis --enable-configurable-krb5-ccname-gssapi
gmake
cc -g -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib -o nss_ldap.so -Bdirect -z nodelete -Bdynamic -M ./exports.solaris -G ldap-nss.o ldap-pwd.o ldap-grp.o ldap-netgrp.o ldap-rpc.o ldap-hosts.o ldap-network.o ldap-proto.o ldap-spwd.o ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o ldap-bp.o ldap-automount.o util.o ltf.o snprintf.o resolve.o dnsconfig.o irs-nss.o pagectrl.o ldap-sldap.o ldap-init-krb5-cache.o -Bstatic -lldap -llber -lsasl2 -Bstatic -lssl -lcrypto -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -ldl -lsocket -lnsl -lresolv
)

# cc -o pam_krb5.so -G -xldscope=symbolic -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib api-account.o api-auth.o api-password.o api-session.o auth.o compat.o context.o logging.o options.o prompting.o support.o -L/usr/lib -R/usr/lib -Bstatic -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -lpam -lresolv -lsocket -lnsl

Thomas

# vim: ft=perl

$progname = 'nss_ldap';
$version = '260';

my $libnet_version = '1.0.2a';
my $openssl_version = '0.9.8c';
my $krb5_version = '1.4.4';
my $sasl_version = '2.1.22';
my $openldap_version = '2.3.39';
my $berkeley_version = '4.5.20';

# TODO: Search for krb5.conf in /etc/krb5/krb5.conf
# At the moment it tries the following two paths:
# /etc/krb5.conf
# /var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/krb5.conf

# ldap.conf wird auch an einer komischen Stelle gesucht, ist aber wahrscheinlich egal:
# open("/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/openldap/ldap.conf", O_RDONLY) Err#2 ENOENT
# stat("/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/etc/krb5.conf", 0xFFBFE798) Err#2 ENOENT

$buildroot = "${builddir}/${progname}-${version}-buildroot";

$category = 'application';
$vendor = 'http://www.padl.com/ packaged by Thomas Glanzmann';

@sources = ("${progname}.tgz",
"libnet-${libnet_version}.tar.gz",
"openssl-${openssl_version}.tar.gz",
"krb5-${krb5_version}.tar.gz",
"cyrus-sasl-${sasl_version}.tar.gz",
"openldap-${openldap_version}.tar.gz",
"db-${berkeley_version}.tar.gz",
);

@patches = (['nss_ldap.patch', "${progname}-${version}", '-p1']);

@packages = ({
pkgname => 'nssldap',
filename => 'nss_ldap',
name => "nssldap - retrieve system databases from LDAP directories",
dependencies => [],
filelist => [qw(usr)]
});

$copyright = "${progname}-${version}/COPYING";

$build = <<"EOF";
export CC=cc
export CXX=CC
export PATH="${sunwspropath}:/usr/ccs/bin:/usr/bin:/opt/csw/bin"

(
cd Libnet-${libnet_version}
./configure --prefix=${buildroot}/dependencies
gmake
gmake install
)

export LDFLAGS='-L${buildroot}/dependencies/lib'
export CPPFLAGS='-I${buildroot}/dependencies/include'

(
cd openssl-${openssl_version}
./Configure --prefix=${buildroot}/dependencies shared solaris-x86-cc
gmake
gmake install
)

(
cd krb5-${krb5_version}/src
./configure --enable-static --prefix=${buildroot}/dependencies --exec-prefix=${buildroot}/dependencies
gmake
gmake install
)

(
cd cyrus-sasl-${sasl_version}
./configure --prefix=${buildroot}/dependencies --with-staticsasl
gmake
gmake install
)

(
cd db-${berkeley_version}/build_unix
../dist/configure --prefix=${buildroot}/dependencies --disable-shared
gmake
gmake install
)

(
cd openldap-${openldap_version}
LIBS="-lrt" ./configure --prefix=${buildroot}/dependencies
gmake
gmake install
)

(
cd ${progname}-${version}
./configure --exec-prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man --enable-schema-mapping --enable-rfc2307bis --enable-configurable-krb5-ccname-gssapi
gmake
cc -g -L${buildroot}/dependencies/lib -o nss_ldap.so -Bdirect -z nodelete -Bdynamic -M ./exports.solaris -G ldap-nss.o ldap-pwd.o ldap-grp.o ldap-netgrp.o ldap-rpc.o ldap-hosts.o ldap-network.o ldap-proto.o ldap-spwd.o ldap-alias.o ldap-service.o ldap-schema.o ldap-ethers.o ldap-bp.o ldap-automount.o util.o ltf.o snprintf.o resolve.o dnsconfig.o irs-nss.o pagectrl.o ldap-sldap.o ldap-init-krb5-cache.o -Bstatic -lldap -llber -lsasl2 -Bstatic -lssl -lcrypto -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -ldl -lsocket -lnsl -lresolv
)

# cc -o pam_krb5.so -G -xldscope=symbolic -L/var/tmp/sithglan-pkg/nss_ldap-260-buildroot/dependencies/lib api-account.o api-auth.o api-password.o api-session.o auth.o compat.o context.o logging.o options.o prompting.o support.o -L/usr/lib -R/usr/lib -Bstatic -lgssapi_krb5 -lcom_err -lkrb5 -lk5crypto -lkrb5support -Bdynamic -lpam -lresolv -lsocket -lnsl
EOF

trouble compiling pam_ldap under solaris 2.9

2009-08-25T11:15:05Z

any ideas? thx.

bash-2.05# make
make all-am
make[1]: Entering directory `/export/home/software/pam_ldap-184'
gcc -g -O2 -Wall -fPIC -B dynamic -M ./exports.solaris -G -B group -lc -L/opt/ldap/lib -R/opt/ldap/lib -mcpu=v7 -m32 -L/opt/ldap/lib -R/opt/ldap/lib -o pam_nldap.so pam_nldap.o md5.o -lldap -llber -lnsl -lcrypt -lresolv -lpam -ldl
gcc: ./exports.solaris: linker input file unused because linking not done
gcc: -lc: linker input file unused because linking not done
gcc: pam_nldap.o: linker input file unused because linking not done
gcc: md5.o: linker input file unused because linking not done
gcc: -lldap: linker input file unused because linking not done
gcc: -llber: linker input file unused because linking not done
gcc: -lnsl: linker input file unused because linking not done
gcc: -lcrypt: linker input file unused because linking not done
gcc: -lresolv: linker input file unused because linking not done
gcc: -lpam: linker input file unused because linking not done
gcc: -ldl: linker input file unused because linking not done
make[1]: Leaving directory `/export/home/software/pam_ldap-184'

Mark Merchant
Unix Systems Admin, Huntington Banks
7 Easton Oval, Cols, Oh 43219
tel:614-331-9806 cel:614-917-8218 pag:614-917-8218

640K ought to be enough for anybody.
Bill Gates

How to use an alternate config file for separate services

2009-08-18T18:31:36Z

I am having issues getting vsftpd to us a different OU (
ou=ftpusers,...) to authenticate users than ssh users (
ou=people,...).

I have setup a new ldap.conf file in /usr/local/etc/vsftpd/ldap.conf

I setup a new system-auth pam file named system-auth-vsftpd. In here I
am using the "config" argument on the pam_ldap.so module. It is
referenced by the pam.d/vsftpd config file.

No matter what I do I can't login with users from the ou=ftpusers,
unit. However, it still accepts folks who are in the ou=people, unit.
This leads me to believe it is ignoring the "config" argument. Any
ideas why?

My setup thus far:

[root]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth-vsftpd
account include system-auth-vsftpd
session include system-auth-vsftpd
session required pam_loginuid.so

[root]# cat /etc/pam.d/system-auth-vsftpd
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so deny=3 unlock_time=300
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so
config=/usr/local/etc/vsftpd/ldap.conf use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
config=/usr/local/etc/vsftpd/ldap.conf
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=2
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok remember=15
password sufficient pam_ldap.so
config=/usr/local/etc/vsftpd/ldap.conf use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so config=/usr/local/etc/vsftpd/ldap.conf

[root]# cat /usr/local/etc/vsftpd/ldap.conf
base dc=somewhere,dc=org
rootbinddn cn=manager,dc=somewhere,dc=org
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_base_passwd ou=ftpusers,dc=somewhere,dc=org?one
nss_base_shadow ou=ftpusers,dc=somewhere,dc=org?one
nss_base_group ou=unixgroups,dc=somewhere,dc=org?one
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
uri ldap://172.25.14.140/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
pam_password exop
pam_password_prohibit_message Please visit https://www.somewhere.org/
to change your password.
nss_base_group ou=unixgroups,
nss_base_passwd ou=ftpusers,

Please help me on ldap jndi programming

2009-08-17T22:27:24Z

Hello....

I am new to ldap programming. I am using Apache Directory server. I have to insert organization information in apache directory server using jndi from java application. I able to insert the cn node from java application. If I try to insert organization or organization unit level node from java application schema violation error is comming. Please tell me the code to insert organization node from java application. Please help me. very Urgent.

If this is the wrong place to post this question atleast please tell me the forum topic where i need to post this question....

RE: Re: Calling pam_ldap more then once

2009-08-17T06:57:11Z

Hello, i have the same Proplem. According to http://www.nabble.com/Difference-between-NSS-LDAP-and-PAM_LDAP-td25004237.html

If there any chance to get this patch? How many different Ldap Server could be handled by the patch?

RE: userPassword being compared on client end

2009-08-14T03:33:15Z

Daniel Appleby wrote:
> Hi,
>
> I am trying to setup pam_ldap so that it first searches my ldap server
anonymously to find the users dn and then attempt to bind using the dn and the
password the user has provided. Basically after checking the ldap server logs
it seems to be trying to retreive the userPassword atrribute from a search and
then compare it on the client end. As our user passwords are locked down to
the "SELF" right so it fails.

>
> For the ldap side of things the attributes and structure is basted on rfc2307.
>
> My system-auth file (for auth section):
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> I have a feeling it's pam_unix getting in the way so i commented it out
> and

still same issue (trying to get the userPassword attribute back from the server).

>
> Thanks in advance for any help.
>
> Yes, pam_unix will trigger that behavior since it will just use
> getpwnam/getspnam. If you have nss_ldap configured, those functions will
> result in the LDAP lookups you're seeing.
>
> But it's odd that you say that commenting out pam_unix doesn't change the
> behavior. Very likely the authentication program you're testing with is still
> running with the previous settings, you probably need to kill it / restart it.
>
>Typically the way to prevent pam_unix from trying is to list pam_ldap first.

Sorted out the issue. The openssh defaults had changed between versions so UsePam defaulted to no.

Thanks for your assistance.

Regards,
Daniel

Re: userPassword being compared on client end

2009-08-14T02:18:47Z

still same issue (trying to get the userPassword attribute back from the server).
>
> Thanks in advance for any help.

Yes, pam_unix will trigger that behavior since it will just use
getpwnam/getspnam. If you have nss_ldap configured, those functions will
result in the LDAP lookups you're seeing.

But it's odd that you say that commenting out pam_unix doesn't change the
behavior. Very likely the authentication program you're testing with is still
running with the previous settings, you probably need to kill it / restart it.

Typically the way to prevent pam_unix from trying is to list pam_ldap first.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

userPassword being compared on client end

2009-08-14T01:11:46Z

Hi,

I am trying to setup pam_ldap so that it first searches my ldap server anonymously to find the users dn and then attempt to bind using the dn and the password the user has provided. Basically after checking the ldap server logs it seems to be trying to retreive the userPassword atrribute from a search and then compare it on the client end. As our user passwords are locked down to the "SELF" right so it fails.

For the ldap side of things the attributes and structure is basted on rfc2307.

My system-auth file (for auth section):

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

I have a feeling it's pam_unix getting in the way so i commented it out and still same issue (trying to get the userPassword attribute back from the server).

Thanks in advance for any help.

Regards,
Daniel

[pam-ldap] Authenticates both Local and LDAP users

2009-08-05T11:23:33Z

Hi list,

I have got an OpenLDAP server 2.4.16 and the lastest release of nss_ldap
and pam_ldap.

Some of my users are present both in /etc/passwd and shadow and in LDAP.

For some reasons, local passwords and LDAP passwords might not be the
same.
I have found the right pam configuration in order to authenticate the
users without taking into account if they are in LDAP or local users.
But my problem is that even if I use the local password, LDAP is always
check and it of course generates a failed login.

I am wondering whether it is possible to detect that an account is local
and then by pass ldap check.....

Here is my configuration for common-auth on Suse.

auth sufficient pam_ldap.so

auth required pam_unix2.so try_first_pass

Thanks and regards

Vince

Module can't get PAM_AUTHTOK

2009-08-05T10:12:39Z

Hello,

im calling the following module in /etc/pam.d/common-auth:

auth    optional        pam_krb5_migrate.so debug

and this module is supposed to create a Kerberos principal using login credentials, but it fails when trying to retrieve PAM_AUTHTOK into variable pass with the following part of the code:

retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&pass);

if (retval != PAM_SUCCESS) {
    ...
} else if (pass == NULL) {
    retval = PAM_AUTHTOK_RECOVER_ERR;
    goto cleanup;
}

the module seems to be ok, but I'm not sure if i missed something in pam configuration, or if the way I use it is wrong.

/var/log/auth.log
Aug 5 13:55:07 luist login(pam_krb5_migrate)[2374]: Authenticating as principal pam_migrate/myhostname@MYREALM with keytab /etc/security/pam_krb5.keytab.
Aug 5 13:55:07 luist login(pam_krb5_migrate)[2374]: username [luist] obtained
Aug 5 13:55:10 luist login[2374]: pam_unix(login:session): session opened for user luist by LOGIN(uid=0)
Aug 5 13:55:10 luist dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.29" (uid=5312 pid=3761 comm="/usr/lib/indicator-

applet/indicator-applet --oaf-a") interface="org.freedesktop.DBus.Properties" member="Get" error name="(unset)" requested_reply=0 destination=":1.45" (uid=0 pid=2374 comm="/bin/login -- "))

How can i make this work?
Thanks in advance

pam_filter and duplicate ldap filters

2009-07-23T17:26:52Z

hi-

i'm using libpam-ldap 184 courtesy of debian testing, against openldap
2.4.11 (on the same computer in this example), and noticed something
that seemed odd to me. it appears that if specified, the pam_filter
value in the config file is getting duplicated when the actual ldap
search is performed.

with no value for pam_filter, i see the following when a user logs in:
slapd[1895]: conn=3156 op=2 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(objectClass=posixAccount)(uid=someuser))"

if i specify what would appear to be the default value for pam_filter
explicitly in the config (e.g. pam_filter objectClass=posixAccount), i
see the following:
slapd[1895]: conn=3153 op=1 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)
(uid=someuser))"

another example:

pam_filter &(objectClass=posixAccount)(objectClass=shadowAccount))(|
(memberOf
=cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com)

slapd[1895]: conn=3161 op=1 SRCH base="dc=example,dc=com" scope=2
deref=0 filter="(&(&(objectClass=posixAccount)
(objectClass=shadowAccount))(|
(memberOf
=
cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com))
(&(objectClass=posixAccount)(objectClass=shadowAccount))(|
(memberOf
=
cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=example,dc=com))
(uid=someuser))"

i experimented a bit with various syntaxes for the pam_filter value,
but wasn't successful in suppressing the duplication.

i see this mentioned here: http://www.nabble.com/Solaris-10-ts4958892.html
- but not much discussion.

is this normal?

thanks
-ben

OPENDS and Database

2009-07-08T00:49:18Z

Dear all,
I have a problem as follow:
I use my sql to store data. Table User is about 4000 user (user name, password)
I just use CAS to single sign for all application.
and cas authenticate by ldap.
How to move all user in database to ldap (I use OpenDS of SUN)
Please help me
thank a lot

----Cheer ---
mail: queo1987@gmail.com
Yahoo: queo1987

Re: AW: pam_ldap read not auth on userPassword

2009-06-30T16:27:29Z

>> Install and configure pam_ldap instead, then you'll see the desired
>> behaviour.
>> If you already installed pam_ldap, I suppose your pam-config validates
>> passwords with some other module first and does not bother invoke pam_ldap.
> Sigh- I had two major typos in my system-auth file and a couple of other bits
> I never would have found until you mentioned I probably wasn't using pam_ldap
> at all.
I commented out the nsswitch.conf entries on the correct system and auth
stops working- which finally makes sense. Then I corrected the pam_ldap
entries (which I managed to typo as pam_ladp.so) and of course now
everything works.

Thanks for the help- I never would have looked at those files again if you
hadn't said that was the only possibility.

-Don

Re: AW: pam_ldap read not auth on userPassword

2009-06-30T14:55:12Z

> sounds like you are not using pam_ldap at all, though you contact the pamldap-list.
> nss_ldap is retrieving data from LDAP and some pam-module, like pam_unix is validating passwords against that data.
> Install and configure pam_ldap instead, then you'll see the desired behaviour.
> If you already installed pam_ldap, I suppose your pam-config validates passwords with some other module first and does not bother invoke pam_ldap.
Sigh- I had two major typos in my system-auth file and a couple of other
bits I never would have found until you mentioned I probably wasn't using
pam_ldap at all. I'm going to fix these and test the results but I'm
nearly certain that was the problem. I spent 2 hours checking the files
and managed to miss these issues several times. I managed to comment out
ldap in nsswitch.conf on the wrong server- then couldn't figure out how it
could still be authing...

Thanks,
-Don

AW: pam_ldap read not auth on userPassword

2009-06-30T14:03:17Z

AW: [pamldap] pam_ldap read not auth on userPassword

Hi Don,

sounds like you are not using pam_ldap at all, though you contact the pamldap-list.
nss_ldap is retrieving data from LDAP and some pam-module, like pam_unix is validating passwords against that data.
Install and configure pam_ldap instead, then you'll see the desired behaviour.
If you already installed pam_ldap, I suppose your pam-config validates passwords with some other module first and does not bother invoke pam_ldap.
--
CU,
Patrick.

pam_ldap read not auth on userPassword

2009-06-30T11:08:10Z

Redhat EL5, Openldap 2.3, nss_ldap 2.53, Zimbra 5

Problem:
When ssh'ing to a system, auth fails unless I enable read permission for
anonymous on attrs=userPassword.

If I have:
access to attrs=userPassword
by self write
by anonymous auth

Authentication fails. If I change that to:
access to attrs=userPassword
by self write
by anonymous read

Authentication succeeds.

The ldap server logs show a bind as "anonymous", an attempt to read
userPassword, and then nothing. I see no subsequent attempt to re-bind as
the dn found in the initial search.

Here is the log of a failed connection:

Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 BIND dn="" method=128
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=0 RESULT tag=97 err=0 text=
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH
base="ou=People,dc=example,dc=com" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uid=dstahl))"
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SRCH attr=uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jun 30 14:04:47 mail slapd[22254]: conn=20 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=

There is no subsequent rebinding as user dstahl.

I know I've missed something obvious but for the life of me I can not find
it.

If you need additional logs or other information please let me know.

Thanks in advance,
-Don

pam-ldap multiple ldap servers is not working

2009-06-26T09:50:22Z

Hi All,

I have the following packages for the ldap
openldap-2.3.27-8
openldap-devel-2.3.27-8
python-ldap-2.2.0-2.1
nss_ldap-253-5.el5
openldap-clients-2.3.27-8

I am trying to get pam authentication working, it is working good. The
issue now is if I put multiple ldap servers by host ldap1.test.com,
ldap2.test.com in /etc/ldap.conf and /etc/openldap/ldap.conf file. and
in the iptables block response from ldap1.test.com, the authentication
will not success. I checked tcpdump, pam-ldap will consult
ldap1.test.com and ldap2.test.com, but the prompt for the client is
just password, password prompt, it will never authenticate.

Any insight is greatly appreciated.

Schilling

Re: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-26T07:38:10Z

On 06/25/2009 11:53:19 PM, Howard Chu wrote:

FWIW, Samba's winbindd is another approach to authenticating
via PAM off of MS's AD, if you want to give up and leave the
MS voodoo to samba. There's a wiki entry on the samba wiki.
YMMV.

Karl <kop@...>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein

Re: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-26T07:31:23Z

Hi Aaron,

If you are connecting to AD, then you probably need "Microsoft
Services for Unix" to provide the Unix-related schema (like uidNumber,
gidNumber, homeDirectory etc.).

Prakash

On Jun 26, 2009, at 12:53 AM, Howard Chu wrote:

> Aaron Hicks wrote:
>> debug 7 provides some interesting results. In particular it looks
>> like the
> LDAP server is sending _responses_ to the search request that
> nss_ldap is
> discarding. It's also clear that it's asking for attributes that
> aren't stored
> in the AD, some I don't want to set (e.g. home directory, we have
> some servers
> where it should be /home/user and others where it should be /export/
> home/user)
> so I hope if nss is unable to set them, then the system defaults are
> used.
>
> nss_ldap requires a uidNumber and gidNumber to be returned. Since
> your LDAP server isn't providing these attributes, it cannot
> generate a proper passwd entry for this user. By the way, you seem
> to have something else misconfigured since it is requesting
> displayName twice. But at least you know the problem is not in the
> authentication config of nss_ldap any more.
>
>> Hmm, can't really mangle this one :P, this is a dump of the debug
>> responses
>>
>> ldap_search
>> put_filter: "(&(objectClass=user)(sAMAccountName=hicksa))"
>> put_filter: AND
>> put_filter_list "(objectClass=user)(sAMAccountName=hicksa)"
>> put_filter: "(objectClass=user)"
>> put_filter: simple
>> put_simple_filter: "objectClass=user"
>> put_filter: "(sAMAccountName=hicksa)"
>> put_filter: simple
>> put_simple_filter: "sAMAccountName=hicksa"
>> ldap_build_search_req ATTRS:
>> sAMAccountName
>> userPassword
>> uidNumber
>> gidNumber
>> cn
>> unixHomeDirectory
>> loginShell
>> displayName
>> displayName
>> objectClass
>> ldap_send_initial_request
>> ldap_send_server_request
>> ber_scanf fmt ({it) ber:
>> ber_scanf fmt ({) ber:
>> ber_flush: 252 bytes to sd 3
>> 0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61
>> 0.ù...c.ó.1dc=la
>> 0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d
>> ndcare,dc=ad,dc=
>> 0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68
>> landcareresearch
>> 0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02
>> 0a ,dc=co,dc=nz....
>> 0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13
>> 04 ........... /£..
>> 0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75
>> 73 .objectClass..us
>> 0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er
>> £...sAMAccount
>> 0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e
>> Name..hicksa0~..
>> 0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c
>> sAMAccountName..
>> 0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69
>> userPassword..ui
>> 00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62
>> dNumber..gidNumb
>> 00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65
>> er..cn..unixHome
>> 00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e
>> Directory..login
>> 00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61
>> Shell..displayNa
>> 00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04
>> me..displayName.
>> 00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73
>> 73 .objectClass
>> ldap_write: want=252, written=252
>> 0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61
>> 0.ù...c.ó.1dc=la
>> 0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d
>> ndcare,dc=ad,dc=
>> 0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68
>> landcareresearch
>> 0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02
>> 0a ,dc=co,dc=nz....
>> 0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13
>> 04 ........... /£..
>> 0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75
>> 73 .objectClass..us
>> 0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er
>> £...sAMAccount
>> 0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e
>> Name..hicksa0~..
>> 0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c
>> sAMAccountName..
>> 0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69
>> userPassword..ui
>> 00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62
>> dNumber..gidNumb
>> 00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65
>> er..cn..unixHome
>> 00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e
>> Directory..login
>> 00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61
>> Shell..displayNa
>> 00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04
>> me..displayName.
>> 00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73
>> 73 .objectClass
>> ldap_result ld 0x1488d380 msgid 2
>> ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
>> ldap_chkResponseList returns ld 0x1488d380 NULL
>> wait4msg ld 0x1488d380 msgid 2 (timeout 30000000 usec)
>> wait4msg continue ld 0x1488d380 msgid 2 all 1
>> ** ld 0x1488d380 Connections:
>> * host: markshaw.landcare.ad.landcareresearch.co.nz port: 389
>> (default)
>> refcnt: 2 status: Connected
>> last used: Fri Jun 26 15:52:38 2009
>>
>> ** ld 0x1488d380 Outstanding Requests:
>> * msgid 2, origid 2, status InProgress
>> outstanding referrals 0, parent count 0
>> ** ld 0x1488d380 Response Queue:
>> Empty
>> ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
>> ldap_chkResponseList returns ld 0x1488d380 NULL
>> ldap_int_select
>> read1msg: ld 0x1488d380 msgid 2 all 1
>> ber_get_next
>> ldap_read: want=8, got=8
>> 0000: 30 84 00 00 01 1b 02 01 0.......
>> ldap_read: want=281, got=281
>> 0000: 02 64 84 00 00 01 12 04 61 43 4e 3d 41 61 72
>> 6f .d......aCN=Aaro
>> 0010: 6e 20 48 69 63 6b 73 2c 4f 55 3d 49 6e 74 65 72 n
>> Hicks,OU=Inter
>> 0020: 6e 61 6c 2c 4f 55 3d 55 73 65 72 73 2c 4f 55 3d
>> nal,OU=Users,OU=
>> 0030: 41 63 63 6f 75 6e 74 73 2c 44 43 3d 6c 61 6e 64
>> Accounts,DC=land
>> 0040: 63 61 72 65 2c 44 43 3d 61 64 2c 44 43 3d 6c 61
>> care,DC=ad,DC=la
>> 0050: 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 2c 44
>> ndcareresearch,D
>> 0060: 43 3d 63 6f 2c 44 43 3d 6e 7a 30 84 00 00 00 a9
>> C=co,DC=nz0....©
>> 0070: 30 84 00 00 00 3c 04 0b 6f 62 6a 65 63 74 43 6c
>> 0....<..objectCl
>> 0080: 61 73 73 31 84 00 00 00 29 04 03 74 6f 70 04 06
>> ass1....)..top..
>> 0090: 70 65 72 73 6f 6e 04 14 6f 72 67 61 6e 69 7a 61
>> person..organiza
>> 00a0: 74 69 6f 6e 61 6c 50 65 72 73 6f 6e 04 04 75 73
>> tionalPerson..us
>> 00b0: 65 72 30 84 00 00 00 17 04 02 63 6e 31 84 00 00
>> er0.......cn1...
>> 00c0: 00 0d 04 0b 41 61 72 6f 6e 20 48 69 63 6b 73
>> 30 ....Aaron Hicks0
>> 00d0: 84 00 00 00 20 04 0b 64 69 73 70 6c 61 79 4e
>> 61 .... ..displayNa
>> 00e0: 6d 65 31 84 00 00 00 0d 04 0b 41 61 72 6f 6e 20
>> me1.......Aaron
>> 00f0: 48 69 63 6b 73 30 84 00 00 00 1e 04 0e 73 41 4d
>> Hicks0.......sAM
>> 0100: 41 63 63 6f 75 6e 74 4e 61 6d 65 31 84 00 00 00
>> AccountName1....
>> 0110: 08 04 06 48 69 63 6b 73 41 ...HicksA
>> ber_get_next: tag 0x30 len 283 contents:
>> read1msg: ld 0x1488d380 msgid 2 message type search-entry
>> wait4msg ld 0x1488d380 30 secs to go
>> wait4msg continue ld 0x1488d380 msgid 2 all 1
>>
>
>>> For situations like this I prefer to use debug 7 to see the actual
>>> network
>>> data. It looks like an entry was actually received, from the
>>> previous
>>> output.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/

(no subject)

2009-06-26T05:48:42Z

set nomail

Re: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T21:53:19Z

Aaron Hicks wrote:
> debug 7 provides some interesting results. In particular it looks like the
LDAP server is sending _responses_ to the search request that nss_ldap is
discarding. It's also clear that it's asking for attributes that aren't stored
in the AD, some I don't want to set (e.g. home directory, we have some servers
where it should be /home/user and others where it should be /export/home/user)
so I hope if nss is unable to set them, then the system defaults are used.

nss_ldap requires a uidNumber and gidNumber to be returned. Since your LDAP
server isn't providing these attributes, it cannot generate a proper passwd
entry for this user. By the way, you seem to have something else misconfigured
since it is requesting displayName twice. But at least you know the problem is
not in the authentication config of nss_ldap any more.

> Hmm, can't really mangle this one :P, this is a dump of the debug responses
>
> ldap_search
> put_filter: "(&(objectClass=user)(sAMAccountName=hicksa))"
> put_filter: AND
> put_filter_list "(objectClass=user)(sAMAccountName=hicksa)"
> put_filter: "(objectClass=user)"
> put_filter: simple
> put_simple_filter: "objectClass=user"
> put_filter: "(sAMAccountName=hicksa)"
> put_filter: simple
> put_simple_filter: "sAMAccountName=hicksa"
> ldap_build_search_req ATTRS:
> sAMAccountName
> userPassword
> uidNumber
> gidNumber
> cn
> unixHomeDirectory
> loginShell
> displayName
> displayName
> objectClass
> ldap_send_initial_request
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({) ber:
> ber_flush: 252 bytes to sd 3
> 0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61 0.ù...c.ó.1dc=la
> 0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d ndcare,dc=ad,dc=
> 0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 landcareresearch
> 0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02 0a ,dc=co,dc=nz....
> 0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13 04 ........... /£..
> 0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75 73 .objectClass..us
> 0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er£...sAMAccount
> 0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e Name..hicksa0~..
> 0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c sAMAccountName..
> 0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
> 00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
> 00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65 er..cn..unixHome
> 00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e Directory..login
> 00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61 Shell..displayNa
> 00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04 me..displayName.
> 00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 .objectClass
> ldap_write: want=252, written=252
> 0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61 0.ù...c.ó.1dc=la
> 0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d ndcare,dc=ad,dc=
> 0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 landcareresearch
> 0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02 0a ,dc=co,dc=nz....
> 0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13 04 ........... /£..
> 0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75 73 .objectClass..us
> 0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er£...sAMAccount
> 0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e Name..hicksa0~..
> 0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c sAMAccountName..
> 0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
> 00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
> 00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65 er..cn..unixHome
> 00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e Directory..login
> 00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61 Shell..displayNa
> 00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04 me..displayName.
> 00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 .objectClass
> ldap_result ld 0x1488d380 msgid 2
> ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
> ldap_chkResponseList returns ld 0x1488d380 NULL
> wait4msg ld 0x1488d380 msgid 2 (timeout 30000000 usec)
> wait4msg continue ld 0x1488d380 msgid 2 all 1
> ** ld 0x1488d380 Connections:
> * host: markshaw.landcare.ad.landcareresearch.co.nz port: 389 (default)
> refcnt: 2 status: Connected
> last used: Fri Jun 26 15:52:38 2009
>
> ** ld 0x1488d380 Outstanding Requests:
> * msgid 2, origid 2, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x1488d380 Response Queue:
> Empty
> ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
> ldap_chkResponseList returns ld 0x1488d380 NULL
> ldap_int_select
> read1msg: ld 0x1488d380 msgid 2 all 1
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 84 00 00 01 1b 02 01 0.......
> ldap_read: want=281, got=281
> 0000: 02 64 84 00 00 01 12 04 61 43 4e 3d 41 61 72 6f .d......aCN=Aaro
> 0010: 6e 20 48 69 63 6b 73 2c 4f 55 3d 49 6e 74 65 72 n Hicks,OU=Inter
> 0020: 6e 61 6c 2c 4f 55 3d 55 73 65 72 73 2c 4f 55 3d nal,OU=Users,OU=
> 0030: 41 63 63 6f 75 6e 74 73 2c 44 43 3d 6c 61 6e 64 Accounts,DC=land
> 0040: 63 61 72 65 2c 44 43 3d 61 64 2c 44 43 3d 6c 61 care,DC=ad,DC=la
> 0050: 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 2c 44 ndcareresearch,D
> 0060: 43 3d 63 6f 2c 44 43 3d 6e 7a 30 84 00 00 00 a9 C=co,DC=nz0....©
> 0070: 30 84 00 00 00 3c 04 0b 6f 62 6a 65 63 74 43 6c 0....<..objectCl
> 0080: 61 73 73 31 84 00 00 00 29 04 03 74 6f 70 04 06 ass1....)..top..
> 0090: 70 65 72 73 6f 6e 04 14 6f 72 67 61 6e 69 7a 61 person..organiza
> 00a0: 74 69 6f 6e 61 6c 50 65 72 73 6f 6e 04 04 75 73 tionalPerson..us
> 00b0: 65 72 30 84 00 00 00 17 04 02 63 6e 31 84 00 00 er0.......cn1...
> 00c0: 00 0d 04 0b 41 61 72 6f 6e 20 48 69 63 6b 73 30 ....Aaron Hicks0
> 00d0: 84 00 00 00 20 04 0b 64 69 73 70 6c 61 79 4e 61 .... ..displayNa
> 00e0: 6d 65 31 84 00 00 00 0d 04 0b 41 61 72 6f 6e 20 me1.......Aaron
> 00f0: 48 69 63 6b 73 30 84 00 00 00 1e 04 0e 73 41 4d Hicks0.......sAM
> 0100: 41 63 63 6f 75 6e 74 4e 61 6d 65 31 84 00 00 00 AccountName1....
> 0110: 08 04 06 48 69 63 6b 73 41 ...HicksA
> ber_get_next: tag 0x30 len 283 contents:
> read1msg: ld 0x1488d380 msgid 2 message type search-entry
> wait4msg ld 0x1488d380 30 secs to go
> wait4msg continue ld 0x1488d380 msgid 2 all 1
>

>> For situations like this I prefer to use debug 7 to see the actual
>> network
>> data. It looks like an entry was actually received, from the previous
>> output.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

RE: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T21:02:44Z

Hi Karl,

When I use ldapsearch and bind with the same credentials, I get a sucessful search on the filter (&(objectClass=user)(sAMAccountName=ldapuser)), which is the same search filter used by nss_ldap when I execute an id ldapuser or getent passwd ldapuser

Regards,

Aaron Hicks

PS. None of thes LDAP users have previously logged into this server.

> -----Original Message-----
> From: Karl O. Pinc [mailto:kop@...]
> Sent: Friday, 26 June 2009 1:42 p.m.
> To: Aaron Hicks
> Cc: pamldap@...; nssldap@...
> Subject: Re: [pamldap] RE: [nssldap] pam_ldap and nss_ldap can't
> connect to LDAP server(s)
>
>
> On 06/25/2009 07:19:45 PM, Aaron Hicks wrote:
> > Hmm, getent passwd ldapuser and id ldapuser now produce these debug
> > messages, and not find the LDAP user (even though it is exactly the
> > same user it's binding with)
>
> FWIW when that happens with an OpenLDAP server it's because you've
> rights to bind (or maybe lookup by direct dn match, I forget)
> but not search. Or at least that's one way to exhibit those symptoms,
> there could be others.
>
> Karl <kop@...>
> Free Software: "You don't pay back, you pay forward."
> -- Robert A. Heinlein

Please consider the environment before printing this email
Warning: This electronic message together with any attachments is confidential. If you receive it in error: (i) you must not read, use, disclose, copy or retain it; (ii) please contact the sender immediately by reply email and then delete the emails.
The views expressed in this email may not be those of Landcare Research New Zealand Limited. http://www.landcareresearch.co.nz

RE: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T21:01:03Z

debug 7 provides some interesting results. In particular it looks like the LDAP server is sending _responses_ to the search request that nss_ldap is discarding. It's also clear that it's asking for attributes that aren't stored in the AD, some I don't want to set (e.g. home directory, we have some servers where it should be /home/user and others where it should be /export/home/user) so I hope if nss is unable to set them, then the system defaults are used.

Hmm, can't really mangle this one :P, this is a dump of the debug responses

ldap_search
put_filter: "(&(objectClass=user)(sAMAccountName=hicksa))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=hicksa)"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=hicksa)"
put_filter: simple
put_simple_filter: "sAMAccountName=hicksa"
ldap_build_search_req ATTRS:
sAMAccountName
userPassword
uidNumber
gidNumber
cn
unixHomeDirectory
loginShell
displayName
displayName
objectClass
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 252 bytes to sd 3
0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61 0.ù...c.ó.1dc=la
0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d ndcare,dc=ad,dc=
0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 landcareresearch
0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02 0a ,dc=co,dc=nz....
0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13 04 ........... /£..
0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75 73 .objectClass..us
0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er£...sAMAccount
0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e Name..hicksa0~..
0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c sAMAccountName..
0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65 er..cn..unixHome
00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e Directory..login
00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61 Shell..displayNa
00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04 me..displayName.
00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 .objectClass
ldap_write: want=252, written=252
0000: 30 81 f9 02 01 02 63 81 f3 04 31 64 63 3d 6c 61 0.ù...c.ó.1dc=la
0010: 6e 64 63 61 72 65 2c 64 63 3d 61 64 2c 64 63 3d ndcare,dc=ad,dc=
0020: 6c 61 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 landcareresearch
0030: 2c 64 63 3d 63 6f 2c 64 63 3d 6e 7a 0a 01 02 0a ,dc=co,dc=nz....
0040: 01 00 02 01 01 02 01 1e 01 01 00 a0 2f a3 13 04 ........... /£..
0050: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 04 75 73 .objectClass..us
0060: 65 72 a3 18 04 0e 73 41 4d 41 63 63 6f 75 6e 74 er£...sAMAccount
0070: 4e 61 6d 65 04 06 68 69 63 6b 73 61 30 7e 04 0e Name..hicksa0~..
0080: 73 41 4d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 0c sAMAccountName..
0090: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
00a0: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
00b0: 65 72 04 02 63 6e 04 11 75 6e 69 78 48 6f 6d 65 er..cn..unixHome
00c0: 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e Directory..login
00d0: 53 68 65 6c 6c 04 0b 64 69 73 70 6c 61 79 4e 61 Shell..displayNa
00e0: 6d 65 04 0b 64 69 73 70 6c 61 79 4e 61 6d 65 04 me..displayName.
00f0: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 .objectClass
ldap_result ld 0x1488d380 msgid 2
ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
ldap_chkResponseList returns ld 0x1488d380 NULL
wait4msg ld 0x1488d380 msgid 2 (timeout 30000000 usec)
wait4msg continue ld 0x1488d380 msgid 2 all 1
** ld 0x1488d380 Connections:
* host: markshaw.landcare.ad.landcareresearch.co.nz port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jun 26 15:52:38 2009

** ld 0x1488d380 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x1488d380 Response Queue:
Empty
ldap_chkResponseList ld 0x1488d380 msgid 2 all 1
ldap_chkResponseList returns ld 0x1488d380 NULL
ldap_int_select
read1msg: ld 0x1488d380 msgid 2 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 84 00 00 01 1b 02 01 0.......
ldap_read: want=281, got=281
0000: 02 64 84 00 00 01 12 04 61 43 4e 3d 41 61 72 6f .d......aCN=Aaro
0010: 6e 20 48 69 63 6b 73 2c 4f 55 3d 49 6e 74 65 72 n Hicks,OU=Inter
0020: 6e 61 6c 2c 4f 55 3d 55 73 65 72 73 2c 4f 55 3d nal,OU=Users,OU=
0030: 41 63 63 6f 75 6e 74 73 2c 44 43 3d 6c 61 6e 64 Accounts,DC=land
0040: 63 61 72 65 2c 44 43 3d 61 64 2c 44 43 3d 6c 61 care,DC=ad,DC=la
0050: 6e 64 63 61 72 65 72 65 73 65 61 72 63 68 2c 44 ndcareresearch,D
0060: 43 3d 63 6f 2c 44 43 3d 6e 7a 30 84 00 00 00 a9 C=co,DC=nz0....©
0070: 30 84 00 00 00 3c 04 0b 6f 62 6a 65 63 74 43 6c 0....<..objectCl
0080: 61 73 73 31 84 00 00 00 29 04 03 74 6f 70 04 06 ass1....)..top..
0090: 70 65 72 73 6f 6e 04 14 6f 72 67 61 6e 69 7a 61 person..organiza
00a0: 74 69 6f 6e 61 6c 50 65 72 73 6f 6e 04 04 75 73 tionalPerson..us
00b0: 65 72 30 84 00 00 00 17 04 02 63 6e 31 84 00 00 er0.......cn1...
00c0: 00 0d 04 0b 41 61 72 6f 6e 20 48 69 63 6b 73 30 ....Aaron Hicks0
00d0: 84 00 00 00 20 04 0b 64 69 73 70 6c 61 79 4e 61 .... ..displayNa
00e0: 6d 65 31 84 00 00 00 0d 04 0b 41 61 72 6f 6e 20 me1.......Aaron
00f0: 48 69 63 6b 73 30 84 00 00 00 1e 04 0e 73 41 4d Hicks0.......sAM
0100: 41 63 63 6f 75 6e 74 4e 61 6d 65 31 84 00 00 00 AccountName1....
0110: 08 04 06 48 69 63 6b 73 41 ...HicksA
ber_get_next: tag 0x30 len 283 contents:
read1msg: ld 0x1488d380 msgid 2 message type search-entry
wait4msg ld 0x1488d380 30 secs to go
wait4msg continue ld 0x1488d380 msgid 2 all 1

> -----Original Message-----
> From: Howard Chu [mailto:hyc@...]
> Sent: Friday, 26 June 2009 2:42 p.m.
> To: Karl O. Pinc
> Cc: Aaron Hicks; pamldap@...; nssldap@...
> Subject: Re: [pamldap] RE: [nssldap] pam_ldap and nss_ldap can't
> connect to LDAP server(s)
>
> Karl O. Pinc wrote:
> >
> > On 06/25/2009 07:19:45 PM, Aaron Hicks wrote:
> >> Hmm, getent passwd ldapuser and id ldapuser now produce these debug
> >> messages, and not find the LDAP user (even though it is exactly the
> >> same user it's binding with)
> >
> > FWIW when that happens with an OpenLDAP server it's because you've
> > rights to bind (or maybe lookup by direct dn match, I forget)
> > but not search. Or at least that's one way to exhibit those
> symptoms,
> > there could be others.
>
> For situations like this I prefer to use debug 7 to see the actual
> network
> data. It looks like an entry was actually received, from the previous
> output.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/

Re: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T19:41:54Z

Karl O. Pinc wrote:

>
> On 06/25/2009 07:19:45 PM, Aaron Hicks wrote:
>> Hmm, getent passwd ldapuser and id ldapuser now produce these debug
>> messages, and not find the LDAP user (even though it is exactly the
>> same user it's binding with)
>
> FWIW when that happens with an OpenLDAP server it's because you've
> rights to bind (or maybe lookup by direct dn match, I forget)
> but not search. Or at least that's one way to exhibit those symptoms,
> there could be others.

For situations like this I prefer to use debug 7 to see the actual network
data. It looks like an entry was actually received, from the previous output.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Re: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T18:42:12Z

On 06/25/2009 07:19:45 PM, Aaron Hicks wrote:
> Hmm, getent passwd ldapuser and id ldapuser now produce these debug
> messages, and not find the LDAP user (even though it is exactly the
> same user it's binding with)

FWIW when that happens with an OpenLDAP server it's because you've
rights to bind (or maybe lookup by direct dn match, I forget)
but not search. Or at least that's one way to exhibit those symptoms,
there could be others.

Karl <kop@...>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein

(no subject)

2009-06-25T18:16:58Z

set nomail

--
Kent Tong
Wicket tutorials freely available at http://www.agileskills2.org/EWDW
Axis2 tutorials freely available at http://www.agileskills2.org/DWSAA

RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T17:19:45Z

Hmm, getent passwd ldapuser and id ldapuser now produce these debug messages, and not find the LDAP user (even though it is exactly the same user it's binding with)

ldap_create
ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
ldap_create
ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.our.long.domain.co.nz:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 202.27.242.229:389
ldap_connect_timeout: fd: 3 tm: 120 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 119 bytes to sd 3
ldap_result ld 0x2b37070 msgid 1
ldap_chkResponseList ld 0x2b37070 msgid 1 all 0
ldap_chkResponseList returns ld 0x2b37070 NULL
wait4msg ld 0x2b37070 msgid 1 (timeout 120000000 usec)
wait4msg continue ld 0x2b37070 msgid 1 all 0
** ld 0x2b37070 Connections:
* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x2b37070 Response Queue:
Empty
ldap_chkResponseList ld 0x2b37070 msgid 1 all 0
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x2b37070 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
ber_scanf fmt ({eaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x2b37070 0 new referrals
read1msg: mark request completed, ld 0x2b37070 msgid 1
request done: ld 0x2b37070 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search
put_filter: "(&(objectClass=user)(sAMAccountName=ldapuser))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=ldapuser)"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=ldapuser)"
put_filter: simple
put_simple_filter: "sAMAccountName=ldapuser"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 242 bytes to sd 3
ldap_result ld 0x2b37070 msgid 2
ldap_chkResponseList ld 0x2b37070 msgid 2 all 1
ldap_chkResponseList returns ld 0x2b37070 NULL
wait4msg ld 0x2b37070 msgid 2 (timeout 30000000 usec)
wait4msg continue ld 0x2b37070 msgid 2 all 1
** ld 0x2b37070 Connections:
* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x2b37070 Response Queue:
Empty
ldap_chkResponseList ld 0x2b37070 msgid 2 all 1
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 245 contents:
read1msg: ld 0x2b37070 msgid 2 message type search-entry
wait4msg ld 0x2b37070 30 secs to go
wait4msg continue ld 0x2b37070 msgid 2 all 1
** ld 0x2b37070 Connections:
* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 0x2b37070 Response Queue:
* msgid 2, type 100
ldap_chkResponseList ld 0x2b37070 msgid 2 all 1
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 135 contents:
read1msg: ld 0x2b37070 msgid 2 message type search-reference
ber_scanf fmt ({v}) ber:
ldap_chase_v3referrals
ldap_url_parse_ext(ldap://DomainDnsZones.our.long.domain.co.nz/DC=DomainDnsZones,DC=landcare,DC=ad,DC=landcareresearch,DC=co,DC=nz)
re_encode_request: new msgid 3, new dn <DC=DomainDnsZones,DC=landcare,DC=ad,DC=landcareresearch,DC=co,DC=nz>
ber_scanf fmt ({it) ber:
ber_scanf fmt ({me) ber:
ldap_chase_v3referral: msgid 2, url "ldap://DomainDnsZones.our.long.domain.co.nz/DC=DomainDnsZones,DC=landcare,DC=ad,DC=landcareresearch,DC=co,DC=nz"
ldap_send_server_request
ldap_new_connection 0 1 1
ldap_int_open_connection
ldap_connect_to_host: TCP DomainDnsZones.our.long.domain.co.nz:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 202.27.242.229:389
ldap_connect_timeout: fd: 4 tm: 120 async: 0
ldap_ndelay_on: 4
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
Call application rebind_proc
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 119 bytes to sd 4
ldap_result ld 0x2b37070 msgid 4
ldap_chkResponseList ld 0x2b37070 msgid 4 all 0
ldap_chkResponseList returns ld 0x2b37070 NULL
wait4msg ld 0x2b37070 msgid 4 (timeout 120000000 usec)
wait4msg continue ld 0x2b37070 msgid 4 all 0
** ld 0x2b37070 Connections:
* host: DomainDnsZones.our.long.domain.co.nz port: 0
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009
rebind in progress
queue is empty

* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
* msgid 2, origid 2, status InProgress
outstanding referrals 1, parent count 0
** ld 0x2b37070 Response Queue:
* msgid 2, type 100
ldap_chkResponseList ld 0x2b37070 msgid 4 all 0
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 4 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x2b37070 msgid 2 message type search-result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt ({eaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x2b37070 0 new referrals
read1msg: mark request completed, ld 0x2b37070 msgid 2
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
wait4msg ld 0x2b37070 120 secs to go
wait4msg continue ld 0x2b37070 msgid 4 all 0
** ld 0x2b37070 Connections:
* host: DomainDnsZones.our.long.domain.co.nz port: 0
refcnt: 2 status: Connected
last used: Fri Jun 26 11:51:12 2009
rebind in progress
queue is empty

* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 1 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
* msgid 2, origid 2, status RequestCompleted
outstanding referrals 1, parent count 0
** ld 0x2b37070 Response Queue:
* msgid 2, type 100
ldap_chkResponseList ld 0x2b37070 msgid 4 all 0
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 4 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x2b37070 msgid 4 message type bind
ber_scanf fmt ({eaa) ber:
ber_scanf fmt ({eaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x2b37070 0 new referrals
read1msg: mark request completed, ld 0x2b37070 msgid 4
request done: ld 0x2b37070 msgid 4
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 261 bytes to sd 4
adding response ld 0x2b37070 msgid 2 type 115:
wait4msg ld 0x2b37070 30 secs to go
wait4msg continue ld 0x2b37070 msgid 2 all 1
** ld 0x2b37070 Connections:
* host: DomainDnsZones.our.long.domain.co.nz port: 0
refcnt: 1 status: Connected
last used: Fri Jun 26 11:51:12 2009

* host: ldap.our.long.domain.co.nz port: 389 (default)
refcnt: 1 status: Connected
last used: Fri Jun 26 11:51:12 2009

** ld 0x2b37070 Outstanding Requests:
* msgid 3, origid 2, status InProgress
outstanding referrals 0, parent count 1
* msgid 2, origid 2, status RequestCompleted
outstanding referrals 1, parent count 1
** ld 0x2b37070 Response Queue:
* msgid 2, type 100
chained responses:
* msgid 2, type 115
ldap_chkResponseList ld 0x2b37070 msgid 2 all 1
ldap_chkResponseList returns ld 0x2b37070 NULL
ldap_int_select
read1msg: ld 0x2b37070 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x2b37070 msgid 3 message type search-result
ber_scanf fmt ({eaa) ber:
ber_scanf fmt ({eaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: ld 0x2b37070 0 new referrals
read1msg: mark request completed, ld 0x2b37070 msgid 3
merged parent (id 2) error info: result errno 0, error <>, matched <>
request done: ld 0x2b37070 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_request (origid 2, msgid 3)
ldap_free_connection 0 1
ldap_send_unbind
ber_flush: 7 bytes to sd 4
ldap_free_connection: actually freed
adding response ld 0x2b37070 msgid 2 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt (x}{a) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt ([v]) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt (x}{a) ber:
ber_scanf fmt (x}{a) ber:
ldap_msgfree
ldap_unbind
ldap_free_connection 1 1
ldap_send_unbind
ber_flush: 7 bytes to sd 3
ldap_free_connection: actually freed

> -----Original Message-----
> From: owner-nssldap@... [mailto:owner-nssldap@...] On Behalf
> Of Aaron Hicks
> Sent: Friday, 26 June 2009 11:25 a.m.
> To: pamldap@...; nssldap@...
> Subject: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> server(s)
>
> Ok, some progress.
>
> This error:
>
> new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-
> 0C090334, comment: AcceptSecurityContext error, data 525, vece>,
>
> According to this page: http://www-
> 01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
>
> Told me that the username was not correct. Some mucking about revealed
> that the quote marks around "User Name" were unecessary. nns_ldap is
> now binding to the domain server
>
> id usr and getent passwd user are still unable to find usernames, so
> I'll look at the base DN used for searches and any filters in place.
>
> Regards,
>
> Aaron Hicks
>
> > -----Original Message-----
> > From: owner-nssldap@... [mailto:owner-nssldap@...] On
> Behalf
> > Of Aaron Hicks
> > Sent: Friday, 26 June 2009 10:23 a.m.
> > To: pamldap@...; nssldap@...
> > Subject: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> > server(s)
> >
> > Thanks Buchan.
> >
> > The bits I've snipped out of ldap.conf were all commented out, and
> the
> > errors pointed out were due to me manually mangling the parts that
> > violate our policies for submitting to public lists. I'll be more
> > careful.
> >
> > I've made a couple of changes which deal with the exessive delays on
> > failed connections in ldap.conf:
> >
> > debug 1
> > bind_policy soft
> > tls_checkpeer no
> > nss_connect_policy oneshot
> >
> > Looking at the debug messages it looks a lot like nss_ldap is failing
> > to bind to LDAP on the AD server. I've requested a user account for
> > searching the domain which doesn't have a space in its name.
> >
> > And here's the debugging info from getent
> >
> > [root@centos ~]# getent passwd user
> > ldap_create
> > ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
> > ldap_create
> > ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
> > ldap_simple_bind
> > ldap_sasl_bind
> > ldap_send_initial_request
> > ldap_new_connection 1 1 0
> > ldap_int_open_connection
> > ldap_connect_to_host: TCP ldap.our.long.domain.co.nz:389
> > ldap_new_socket: 3
> > ldap_prepare_socket: 3
> > ldap_connect_to_host: Trying x.x.x.x:389
> > ldap_connect_timeout: fd: 3 tm: 10 async: 0
> > ldap_ndelay_on: 3
> > ldap_is_sock_ready: 3
> > ldap_ndelay_off: 3
> > ldap_open_defconn: successful
> > ldap_send_server_request
> > ber_scanf fmt ({it) ber:
> > ber_scanf fmt ({i) ber:
> > ber_flush: 121 bytes to sd 3
> > ldap_result ld 0x49d1310 msgid 1
> > ldap_chkResponseList ld 0x49d1310 msgid 1 all 0
> > ldap_chkResponseList returns ld 0x49d1310 NULL
> > wait4msg ld 0x49d1310 msgid 1 (timeout 10000000 usec)
> > wait4msg continue ld 0x49d1310 msgid 1 all 0
> > ** ld 0x49d1310 Connections:
> > * host: ldap.our.long.domain.co.nz port: 389 (default)
> > refcnt: 2 status: Connected
> > last used: Fri Jun 26 10:11:04 2009
> >
> > ** ld 0x49d1310 Outstanding Requests:
> > * msgid 1, origid 1, status InProgress
> > outstanding referrals 0, parent count 0
> > ** ld 0x49d1310 Response Queue:
> > Empty
> > ldap_chkResponseList ld 0x49d1310 msgid 1 all 0
> > ldap_chkResponseList returns ld 0x49d1310 NULL
> > ldap_int_select
> > read1msg: ld 0x49d1310 msgid 1 all 0
> > ber_get_next
> > ber_get_next: tag 0x30 len 103 contents:
> > read1msg: ld 0x49d1310 msgid 1 message type bind
> > ber_scanf fmt ({eaa) ber:
> > ber_scanf fmt ({eaa}) ber:
> > ldap_chase_referrals
> > read1msg: V2 referral chased, mark request completed, id = 1
> > new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-
> > 0C090334, comment: AcceptSecurityContext error, data 525, vece>,
> > res_matched: <>
> > read1msg: ld 0x49d1310 0 new referrals
> > read1msg: mark request completed, ld 0x49d1310 msgid 1
> > request done: ld 0x49d1310 msgid 1
> > res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment:
> > AcceptSecurityContext error, data 525, vece>, res_matched: <>
> > ldap_free_request (origid 1, msgid 1)
> > ldap_free_connection 0 1
> > ldap_free_connection: refcnt 1
> > ldap_parse_result
> > ber_scanf fmt ({iaa) ber:
> > ber_scanf fmt (}) ber:
> > ldap_msgfree
> > ldap_err2string
> > ldap_unbind
> > ldap_free_connection 1 1
> > ldap_send_unbind
> > ber_flush: 7 bytes to sd 3
> > ldap_free_connection: actually freed
> > ldap_err2string
> >
> >
> > > -----Original Message-----
> > > From: owner-nssldap@... [mailto:owner-nssldap@...] On
> > Behalf
> > > Of Buchan Milne
> > > Sent: Friday, 26 June 2009 1:30 a.m.
> > > To: Guillaume Rousse
> > > Cc: pamldap@...; nssldap@...
> > > Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> > > server(s)
> > >
> > > On Thursday 25 June 2009 11:11:35 Guillaume Rousse wrote:
> > > > Aaron Hicks a écrit :
> > > > > Hope someone here can help.
> > > >
> > > > You'd better test nss first, and pam second. As long as 'getent
> > > > password' doesn't list you all known users, that's no use to try
> to
> > > > autenticate them.
> > > >
> > > > Various hints:
> > > > - use 'debug 1' in your nss_ldap configuration file.
> > > > - check if there is any difference using anonymous or
> authenticated
> > > binding
> > > > - check if there any difference between tls (port 389), ssl (port
> > > 636),
> > > > and unencrypted connection (warning, unspecified configuration
> > values
> > > in
> > > > nss_ldap configuration, such as tls_checkpeer, will usually use
> > > nss_ldap
> > > > default values, not use openldap library values, such as
> > TLS_REQCERT
> > > > never in your case)
> > > > - check your ldap server logs
> > > >
> > > > I have no clue what eDirectory is, but if it is just a branding
> > name
> > > > over openldap, you can perfectly tune its access policy as
> needed.
> > I
> > > > doubt it really enforce the use of encryption for connection,
> > rather
> > > for
> > > > autentication only.
> > >
> > > eDirectory is Novell's directory server (historically, NDS), which
> > > later
> > > (after the bindery days) got an LDAP interface.
> > >
> > > The error message provided however looks very much like MS Active
> > > Directory.
> > >
> > > > Also, take care than ubuntu (Debian, actually) doesn't use a
> unique
> > > > configuration file for nss_ldap and pam_ldap (/etc/ldap.conf),
> but
> > > two
> > > > distinct ones (/etc/libnss_ldap and /etc/libpam_ldap, from
> memory).
> > > > [..]
> > >
> > > AFAIR, modern releases of Ubuntu have reverted to a single
> > > /etc/ldap.conf.
> > >
> > > >
> > > > > ===========Config files from here on========
> > > > >
> > > > > My /etc/ldap.conf looks like (omitting sections left as
> default):
> > > > >
> > > > > <defaults omitted>
> > > > > # The distinguished name of the search base.
> > > > > base
> > > >
> > > > An empty base will not help. maybe nss_ldap use openldap default
> > > > configuration in this case, but I would not rely on it.
> > >
> > > I would also prefer to see the entire ldap.conf without comments
> > (but,
> > > including any "defaults"), rather than missing some potentially
> > > important
> > > values that are maybe at incorrect defaults. Also, please do
> > consistent
> > > (e.g.
> > > perl -pe 's/dc=myrealdomain,dc=com/dc=example,dc=com') mangling of
> > your
> > > configuration file, as this looks suspect:
> > >
> > > binddn "cn=User
> > >
> >
> Name,ou=internal,ou=users,ou=accounts,cn=,dc=our,dc=long,dc=domain,dc=c
> > > o,dc=nz"
> > >
> > > (this is not a valid DN, as there is an attribute without a value)
> > >
> > > Now, I am unsure if your original value is correct or not.
> > >
> > > Regardless, if there is not some simple mistake like the above,
> > running
> > > 'getent passwd user_in_ldap' (where user_in_ldap is the samAccount
> > > value of a
> > > user in AD) with debugging enabled in nss_ldap would be more
> > > enlightening.
> > >
> > > Regards,
> > > Buchan
> >
> > Please consider the environment before printing this email
> > Warning: This electronic message together with any attachments is
> > confidential. If you receive it in error: (i) you must not read, use,
> > disclose, copy or retain it; (ii) please contact the sender
> immediately
> > by reply email and then delete the emails.
> > The views expressed in this email may not be those of Landcare
> Research
> > New Zealand Limited. http://www.landcareresearch.co.nz
>
> Please consider the environment before printing this email
> Warning: This electronic message together with any attachments is
> confidential. If you receive it in error: (i) you must not read, use,
> disclose, copy or retain it; (ii) please contact the sender immediately
> by reply email and then delete the emails.
> The views expressed in this email may not be those of Landcare Research
> New Zealand Limited. http://www.landcareresearch.co.nz

RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP server(s)

2009-06-25T16:25:29Z

Ok, some progress.

This error:

new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-
0C090334, comment: AcceptSecurityContext error, data 525, vece>,

According to this page: http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631

Told me that the username was not correct. Some mucking about revealed that the quote marks around "User Name" were unecessary. nns_ldap is now binding to the domain server

id usr and getent passwd user are still unable to find usernames, so I'll look at the base DN used for searches and any filters in place.

Regards,

Aaron Hicks

> -----Original Message-----
> From: owner-nssldap@... [mailto:owner-nssldap@...] On Behalf
> Of Aaron Hicks
> Sent: Friday, 26 June 2009 10:23 a.m.
> To: pamldap@...; nssldap@...
> Subject: RE: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> server(s)
>
> Thanks Buchan.
>
> The bits I've snipped out of ldap.conf were all commented out, and the
> errors pointed out were due to me manually mangling the parts that
> violate our policies for submitting to public lists. I'll be more
> careful.
>
> I've made a couple of changes which deal with the exessive delays on
> failed connections in ldap.conf:
>
> debug 1
> bind_policy soft
> tls_checkpeer no
> nss_connect_policy oneshot
>
> Looking at the debug messages it looks a lot like nss_ldap is failing
> to bind to LDAP on the AD server. I've requested a user account for
> searching the domain which doesn't have a space in its name.
>
> And here's the debugging info from getent
>
> [root@centos ~]# getent passwd user
> ldap_create
> ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
> ldap_create
> ldap_url_parse_ext(ldap://ldap.our.long.domain.co.nz)
> ldap_simple_bind
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP ldap.our.long.domain.co.nz:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying x.x.x.x:389
> ldap_connect_timeout: fd: 3 tm: 10 async: 0
> ldap_ndelay_on: 3
> ldap_is_sock_ready: 3
> ldap_ndelay_off: 3
> ldap_open_defconn: successful
> ldap_send_server_request
> ber_scanf fmt ({it) ber:
> ber_scanf fmt ({i) ber:
> ber_flush: 121 bytes to sd 3
> ldap_result ld 0x49d1310 msgid 1
> ldap_chkResponseList ld 0x49d1310 msgid 1 all 0
> ldap_chkResponseList returns ld 0x49d1310 NULL
> wait4msg ld 0x49d1310 msgid 1 (timeout 10000000 usec)
> wait4msg continue ld 0x49d1310 msgid 1 all 0
> ** ld 0x49d1310 Connections:
> * host: ldap.our.long.domain.co.nz port: 389 (default)
> refcnt: 2 status: Connected
> last used: Fri Jun 26 10:11:04 2009
>
> ** ld 0x49d1310 Outstanding Requests:
> * msgid 1, origid 1, status InProgress
> outstanding referrals 0, parent count 0
> ** ld 0x49d1310 Response Queue:
> Empty
> ldap_chkResponseList ld 0x49d1310 msgid 1 all 0
> ldap_chkResponseList returns ld 0x49d1310 NULL
> ldap_int_select
> read1msg: ld 0x49d1310 msgid 1 all 0
> ber_get_next
> ber_get_next: tag 0x30 len 103 contents:
> read1msg: ld 0x49d1310 msgid 1 message type bind
> ber_scanf fmt ({eaa) ber:
> ber_scanf fmt ({eaa}) ber:
> ldap_chase_referrals
> read1msg: V2 referral chased, mark request completed, id = 1
> new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-
> 0C090334, comment: AcceptSecurityContext error, data 525, vece>,
> res_matched: <>
> read1msg: ld 0x49d1310 0 new referrals
> read1msg: mark request completed, ld 0x49d1310 msgid 1
> request done: ld 0x49d1310 msgid 1
> res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece>, res_matched: <>
> ldap_free_request (origid 1, msgid 1)
> ldap_free_connection 0 1
> ldap_free_connection: refcnt 1
> ldap_parse_result
> ber_scanf fmt ({iaa) ber:
> ber_scanf fmt (}) ber:
> ldap_msgfree
> ldap_err2string
> ldap_unbind
> ldap_free_connection 1 1
> ldap_send_unbind
> ber_flush: 7 bytes to sd 3
> ldap_free_connection: actually freed
> ldap_err2string
>
>
> > -----Original Message-----
> > From: owner-nssldap@... [mailto:owner-nssldap@...] On
> Behalf
> > Of Buchan Milne
> > Sent: Friday, 26 June 2009 1:30 a.m.
> > To: Guillaume Rousse
> > Cc: pamldap@...; nssldap@...
> > Subject: Re: [nssldap] pam_ldap and nss_ldap can't connect to LDAP
> > server(s)
> >
> > On Thursday 25 June 2009 11:11:35 Guillaume Rousse wrote:
> > > Aaron Hicks a écrit :
> > > > Hope someone here can help.
> > >
> > > You'd better test nss first, and pam second. As long as 'getent
> > > password' doesn't list you all known users, that's no use to try to
> > > autenticate them.
> > >
> > > Various hints:
> > > - use 'debug 1' in your nss_ldap configuration file.
> > > - check if there is any difference using anonymous or authenticated
> > binding
> > > - check if there any difference between tls (port 389), ssl (port
> > 636),
> > > and unencrypted connection (warning, unspecified configuration
> values
> > in
> > > nss_ldap configuration, such as tls_checkpeer, will usually use
> > nss_ldap
> > > default values, not use openldap library values, such as
> TLS_REQCERT
> > > never in your case)
> > > - check your ldap server logs
> > >
> > > I have no clue what eDirectory is, but if it is just a branding
> name
> > > over openldap, you can perfectly tune its access policy as needed.
> I
> > > doubt it really enforce the use of encryption for connection,
> rather
> > for
> > > autentication only.
> >
> > eDirectory is Novell's directory server (historically, NDS), which
> > later
> > (after the bindery days) got an LDAP interface.
> >
> > The error message provided however looks very much like MS Active
> > Directory.
> >
> > > Also, take care than ubuntu (Debian, actually) doesn't use a unique
> > > configuration file for nss_ldap and pam_ldap (/etc/ldap.conf), but
> > two
> > > distinct ones (/etc/libnss_ldap and /etc/libpam_ldap, from memory).
> > > [..]
> >
> > AFAIR, modern releases of Ubuntu have reverted to a single
> > /etc/ldap.conf.
> >
> > >
> > > > ===========Config files from here on========
> > > >
> > > > My /etc/ldap.conf looks like (omitting sections left as default):
> > > >
> > > > <defaults omitted>
> > > > # The distinguished name of the search base.
> > > > base
> > >
> > > An empty base will not help. maybe nss_ldap use openldap default
> > > configuration in this case, but I would not rely on it.
> >
> > I would also prefer to see the entire ldap.conf without comments
> (but,
> > including any "defaults"), rather than missing some potentially
> > important
> > values that are maybe at incorrect defaults. Also, please do
> consistent
> > (e.g.
> > perl -pe 's/dc=myrealdomain,dc=com/dc=example,dc=com') mangling of
> your
> > configuration file, as this looks suspect:
> >
> > binddn "cn=User
> >
> Name,ou=internal,ou=users,ou=accounts,cn=,dc=our,dc=long,dc=domain,dc=c
> > o,dc=nz"
> >
> > (this is not a valid DN, as there is an attribute without a value)
> >
> > Now, I am unsure if your original value is correct or not.
> >
> > Regardless, if there is not some simple mistake like the above,
> running
> > 'getent passwd user_in_ldap' (where user_in_ldap is the samAccount
> > value of a
> > user in AD) with debugging enabled in nss_ldap would be more
> > enlightening.
> >
> > Regards,
> > Buchan
>
> Please consider the environment before printing this email
> Warning: This electronic message together with any attachments is
> confidential. If you receive it in error: (i) you must not read, use,
> disclose, copy or retain it; (ii) please contact the sender immediately
> by reply email and then delete the emails.
> The views expressed in this email may not be those of Landcare Research
> New Zealand Limited. http://www.landcareresearch.co.nz