Thierry,
I understand that the ldapsearch –b ="ou=people,o=test,o=suffix" –D <…> -w
<…> -x –s sub ="(&(objectClass=<xyz>)(uid=testuser))" , using
the credentials specified in ldap.conf, does return the object. This said, the aci seems
to be correct.
-Reinhard
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of thierry bordaz
Sent: Friday, May 24, 2013 12:34 PM
To: Shriram M
Cc: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] problem in LDAP authentication using PAM.
On 05/24/2013 03:55 PM, Shriram M wrote:
Hi Dan,
Sorry for the typo error. It’s not sssd it is sshd.
I am using nscd daemon. I tried to debug the nss_ldap by placing log level in
/etc/ldap.conf file. I observed that ldap server connection is getting established and
accepting the request from nss_ldap[which requests the user info by placing the uid]. But
ldap is neither responding with the error message nor successful message.
access log
[22/May/2013:13:38:13 +0000] conn=44 op=18 SRCH base="ou=people,o=test,o=suffix"
scope=2 filter="(&(objectClass=<xyz>)(uid=testuser))" attrs="uid
uidNumber gidNumber "
[22/May/2013:13:38:13 +0000] conn=44 op=18 RESULT err=0 tag=101 nentries=0 etime=0
Hi Shriram,
Could you confirm that searched entry has "objectclass: <xyz>" ?
Having disabled anonymous-access, the above session was authenticated. If there is an
entry that matches the filter but that is not returned, I guess it is an issue with the
aci definition that prevents the bound user to lookup the entry (or read the filter
attributes).
regards
thierry
From the above ldap search operation nentries is zero. But the user is present in the ldap
the same was verified by executing ldapsearch command.
Steps to replicate this behavior
1. disable(off) access nsslapd-anonymous-access
2. modify the aci(access control information) for the base dn by
introducing a dn with password to bind with ldap.
3. provide the modified aci informations in /etc/ldap.cconf with
appropriate binddn and bindpw.
4 . create a user in ldap so that ssh login should communicate to ldap via
PAM.
5. configure appropriate configuration[/etc/pam.d] for PAM to authenticate the users.
Thanks,
Shriram.
From:
389-users-bounces@lists.fedoraproject.org<mailto:389-users-bounces@lists.fedoraproject.org>
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, May 23, 2013 5:56 AM
To: General discussion list for the 389 Directory server project.
Cc:
389-users-bounces@lists.fedoraproject.org<mailto:389-users-bounces@lists.fedoraproject.org>
Subject: Re: [389-users] problem in LDAP authentication using PAM.
Shriram,
Use NSCD or SSSD not both, while NSCD is a caching daemon and SSSD has a caching daemon
they will conflict.
Dan
On May 22, 2013, at 4:18 AM, Shriram M
<mshriram@juniper.net<mailto:mshriram@juniper.net>> wrote:
Hi All,
I am trying LDAP authentication for users logged in CentOS by PAM. Also I have
disabled(off) nsslapd-anonymous-access flag to restrict anonymous access by providing the
binddn and bindpw.
I have changed binddn and bindpw in /etc/ldap.conf for PAM to bind with LDAP to
authenticate user.
ie) When a user is trying to ssh pam will be communicated to bind with LDAP by reading
/etc/ldap.conf to bind with LDAP to authenticate the corresponding user.
User authentication is not working every time. ie)some time the user is authenticated and
sometimes the user is not authenticated.
i have verified the tools 389 FDS, nscd ,ssd, are properly running in CentOS.
I have tried by doing ldapsearch for the corresponding user. The result shows the user
properly.
Thanks
Shriram.
--
389 users mailing list
389-users@lists.fedoraproject.org<mailto:users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users