4

I try to set up an LDAP directory that will allow me to authenticate Debian users. Once the configuration of the LDAP server and PAM files is done, the authentication fails. I think the client doesn't find the ldap user into the directory. When I try to login with an ldap user it says bad login, and when I try to login with a local users it asks me a password, and then the LDAP password.

Server

1) I first installed ldap-utils libldap-2.4-2 libldap-2.4-2-dbg slapd slapd-dbg

2) In the file /etc/ldap/ldap.conf :

BASE dc=example,dc=com URI ldap://192.168.1.254/

3)

dpkg-reconfigure slapd

I check that the informations about the domain are right : correct.

4)

ldapsearch -x

It fits with what I chose before.

5) I create the .ldif files for the directory and the users

structure.ldif :

dn: ou=users,dc=example,dc=com objectClass: organizationalUnit u: users description: users dn: ou=computers,dc=example,dc=com objectClass: organizationalUnit ou: computers description: computers dn: ou=sale,ou=users,dc=example,dc=com objectClass: organizationalUnit ou: sale description: sale dn: ou=direction,ou=users,dc=example,dc=com objectClass: organizationalUnit ou: direction description: direction dn: cn=sale,ou=sale,ou=users,dc=example,dc=com objectClass: posixGroup gidNumber: 501 cn: sale description: Sale group dn: cn=direction,ou=direction,ou=users,dc=example,dc=com objectClass: posixGroup gidNumber: 502 cn: direction description: Direction group dn: cn=pauldupont,cn=direction,ou=direction,ou=users,dc=newsoft,dc=ch cn=pauldupont,cn=direction,ou=direction,ou=users,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount uid: pauldupont userPassword: pauldupont cn: pauldupont uidnumber: 1050 gidnumber: 501 homeDirectory: /home/profils/pauldupont sn: pauldupont

adduseringroup.ldif : 

dc: cn=sale,ou=sale,ou=users,dc=example,dc=com changetype: modify add: memberuid memberuid: uid=pauldupont,cn=direction,ou=direction,ou=users,dc=example,dc=com

6) I send the files into the directory :

ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f file.ldif

6) 

ldapsearch -x

The informations are there.

Client

1) I installed ldap-utils libldap-2.4-2 libldap-2.4-2-dbg slapd slapd-dbg libnss-ldap libpam-ldap libpam-modules libpam-cracklib nscd

2) libnss-ldap configuration : server ip : 192.168.1.254, dc=example,dc=com

3) libpam-ldap configuration : no that the LDAP admin is like local user, no that the LDAP server asks for informations before making queries

4) dpkg-reconfigure libnss-ldap

The informations are correct.

5) In the file /etc/ldap/ldap.conf

BASE dc=example,dc=com URI ldap://192.168.1.254/

6) In the file /etc/nsswitch.conf

passwd: compat ldap group: compat ldap shadow: compat ldap

7) In the file /etc/libnss-ldap.conf

base dc=example,dc=com uri ldap://192.168.1.254/ ldap_version 3 rootbinddn cn=admin,dc=example,dc=com

8) In the file /etc/libnss-ldap.secret

 ldap password

9) In the file /etc/pam_ldap.conf : 

base dc=example,dc=com uri ldap://192.168.1.254/ rootbinddn cn=admin,dc=example,dc=com port 389 scope sub bind_timelimit 30 idle_timelimit 3600 pam_filter objectClass=posixAccount pam_login_attribute uid

10) In files /etc/pam.d/common-auth & common-account & common-session I added at the bottom : 

auth sufficient pam_ldap.so

11) In the file /etc/pam.d/common-password I added at the bottom : 

password sufficient pam_ldap.so use_first_pass

12) 

getent passwd && getent group

Only shows local users and groups.

13) The client seems to contact the server :

ldapsearch -x -H "ldap://192.168.1.254" -b "dc=example,dc=com" dn

gives me back the dn entries

14) getent passwd pauldupont

Gives me back nothing and when I check in /var/log/auth.log :

May 12 10:43:36 CLI1-DIR-DEB nscd: nss_ldap: failed to bind to LDAP server ldap:///192.168.1.254/: Invalid credentials May 12 10:43:36 CLI1-DIR-DEB nscd: nss_ldap: reconnecting to LDAP server... May 12 10:43:36 CLI1-DIR-DEB nscd: nss_ldap: failed to bind to LDAP server ldap:///192.168.1.254/: Invalid credentials May 12 10:43:36 CLI1-DIR-DEB nscd: nss_ldap: reconnecting to LDAP server... May 12 10:43:37 CLI1-DIR-DEB nscd: nss_ldap: failed to bind to LDAP server ldap:///192.168.1.254/: Invalid credentials May 12 10:43:37 CLI1-DIR-DEB nscd: nss_ldap: could not search LDAP server - Server is unavailable

It seems the credentials are wrong. I checked all the configuration files above and I can't find any mistakes.

Does anybody know where the problem is ?

Thank you for your help.

I'm using Debian Jessie 8.0 AMD64 for the client and the server

uname -a : Linux SRV1-DEB 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) x86_64 GNU/Linux

OpenLDAP 2.4

EDIT : Once I added the password in the /etc/ldap.secret file and I do a getent passwd, I get the ldap users but I still can't connect.

Once I tried to connect I have this in the log file : 

May 18 09:09:53 CLI1-DIR-DEB login[904]: pam_mail(login:session): user unknown May 18 09:09:53 CLI1-DIR-DEB login[904]: pam_loginuid(login:session): error_ log for user-name'pauldupont' does not exist May 18 09:09:53 CLI1-DIR-DEB login[904]: pam_unix(login:session): session opened for user pauldupont by LOGIN(uid=0) May 18 09:09:53 CLI1-DIR-DEB login[904]: pam_systemd(login:session): Failed to get user data May 18 09:09:53 CLI1-DIR-DEB login[904]: pam_systemd(login:session): Failed to get user data May 18 09:09:53 CLI1-DIR-DEB login[904]: User not known to the underlying authentication module
Improve this question
3
  • 1
    What do your access directives in the slapd configuration look like? Commented May 12, 2015 at 21:51
  • I will check it out as soon as i can and come back with the answer. Commented May 15, 2015 at 15:16
  • For now, the default values are set : olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read Commented May 18, 2015 at 6:27

1 Answer 1

Reset to default
3

It looks like you're supplying a binddn, but bad credentials for it. Are the contents of /etc/ldap.secret and what you put in a the -W prompt exactly the same?

rootbinddn is the binddn used by root on the client machine. It should generally not be the rootdn of the suffix as that would mean that compromise of the machine would also compromise the directory.

There are few situation in which using sssd over pam_ldap and nss-ldap/nss-ldapd is not the correct choice. This is not one of those. (It has been, in my experience, limited to authenticating non-posix accounts.)

There are other things wrong here in dealing with groups RFC2307 vs. RFC2307bis, but you're failing before that. When that becomes your actual problem ask another question.

Improve this answer
6
  • /etc/libnss-ldap.secret should have the password covered. Commented May 12, 2015 at 21:52
  • @AndrewB You are correct. I missed that. Commented May 13, 2015 at 18:15
  • Yes, the content of /etc/ldap.secret is the same as what I put in the -W prompt. I will check it out one more time as soon as I can, just to be sure. If I really can't make it work I will try out with sssd , even if I'm surprised it doesn't work with pam. /etc/libnss-ldap.secret has the right password. Commented May 15, 2015 at 15:11
  • Yes, I checked and it is the same value. Commented May 18, 2015 at 6:21
  • 1
    In the end it works. Indeed I had to add the password in /etc/ldap.secret. Thanks a lot to everybody for your help. Commented May 19, 2015 at 8:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.