[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: basic login fails : here are some logs ...

To: openldap-technical@openldap.org
Subject: Re: basic login fails : here are some logs ...
From: Olivier <ldap@guillard.nom.fr>
Date: Wed, 13 Jul 2011 14:12:59 +0200

I have problem to use my openldap 2.4 server for authentication on a fedora 14 :
it sounds that the problem is on the on the client side configuration.

Here are some logs : your help to diag would be appreciated.

-> I have an ldap server that that stores posixAccount and respond to
ldap queries.
-> I have configure a client machine to use this ldap server for
authentication when login :

***** LOGS ***

**** CLIENT side ****

 login: olivier
 passe :

 Login incorrect

**** SERVER when login on the client ***

Here is what I see on the server side (IP=10.1.92.24) when I try to log in as
"olivier" on the client (10.1.86.93) using /bin/login (debug level 256) :

conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389)
conn=1220 op=0 BIND dn="" method=128
conn=1220 op=0 RESULT tag=97 err=0 text=
conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr"
scope=2 deref=0 filter="(uid=olivier)"
conn=1220 op=1 SRCH attr=host authorizedService shadowExpire
shadowFlag shadowInactive shadowLastChange shadowMax shadowMin
shadowWarning uidNumber
conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=




*** CLIENT When using ldappasswd *****

I manage to change the "userPassword" attributes using ldappasswd command, here
are the logs on the client and server side :

Client side :

$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"

 dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
 uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=

$ ldappasswd -h -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret
"uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass

$ ldapsearch -h ldap-master1.mydomain.fr -D
"cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"

 dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
 uid: olivier
...
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=

*** SERVER side When using ldappasswd *****

Server side, here are the logs related to ldapppasswd  :

conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389)
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128
conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0
conn=1000 op=0 RESULT tag=97 err=0 text=
conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new
conn=1000 op=1 RESULT oid= err=0 text=
conn=1000 op=2 UNBIND
conn=1000 fd=11 closed

Thanks for your help,

----
Olivier


On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard
<olivier@guillard.nom.fr> wrote:
> Hello
>
> Here is the result of an ldapsearch on a client host :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier"
>
> dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
> uid: olivier
> loginShell: /bin/tcsh
> cn: Olivier
> uidNumber: 1130
> gidNumber: 18104
> homeDirectory: /home/olivier
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s=
>
> I have the same output with this :
>
> $ ldapsearch -h ldap-master1.mydomain.fr -D
> "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier
> "uid=olivier"
>
> Although if I omit the -w I get this :
>
> ldap_bind: Server is unwilling to perform (53)
>       additional info: unauthenticated bind (DN with no password) disallowed
>
>
> --->> the openldap server respond.
>
> ================
>
> On the client side (fedora 14), I have followed the documentation to
> set up for ldap authentication when login :
>
> /etc/nsswitch.conf  /etc/ldap.conf /etc/nss_ldap.conf
> /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/
>
> are configured for the system to query the ldap-master.mydomain.fr
> server for authentication :
>
> in ldap.conf files I have :
>
> uri ldap://ldap-master1.mydomain.fr and
> "rootbinddn cn=Manager,dc=mydomain,dc=fr"
>
> in nsswitch.conf :
> passwd: ldap
> shadow:  ldap
>
> and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac
> I have the lines :
>
> auth        sufficient    pam_ldap.so use_first_pass
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> password    sufficient    pam_ldap.so use_authtok
> session     optional      pam_ldap.so
>
> I use no particular security mechanism at this stage at this stage (no
> TLS, simple auth, etc.).
>
> ====
>
> WITH ALL THIS, here is what I get in the logs when I try to login as
> "olivier" on the client machine:
>
> Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server
> ldap://ldap-master1.mydomain.fr: Can't contact LDAP server
> Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server -
> Server is unavailable
>
> Of course, i can't log in.
>
> Any help ??? I'm getting mad...
>
> ( may be could you suggest which debug level I should use on the
> server to try to track what's going on).
>
> Thanks,
>
> ---
> Olivier
>

Follow-Ups:
- Re: basic login fails : here are some logs ...
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: basic login fails : here are some logs ...
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: Re: OpenLPDAP client tools exit codes
Next by Date: Inconsistent duplicate attributeType: "memberOf"
Index(es):
- Chronological
- Thread