[CentOS] openldap problems authenticating

Tim Dunphy

bluethundr at gmail.com
Tue Feb 22 22:49:45 UTC 2011


Hello list,

I am running an openldap 2.4 server under FreeBSD that was working
well until the config was tweaked by someone on the team without
properly documenting their work

# /usr/local/etc/ldap.con on ldap server (FreeBSD 8.1)

host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com


# grep for ldap account shows ldap account on the ldap server itself succeeds

[root at LBSD2:/usr/local/etc/openldap] #getent passwd | grep walbs
walbs:secret/:1002:1003:Walkiria Soares:/home/walbs:/usr/local/bin/bash
[root at LBSD2:/usr/local/etc/openldap] #grep walbs /etc/passwd
[root at LBSD2:/usr/local/etc/openldap] #





# /etc/ldap.conf on ldap client (centos 5.5)

host LBSD2.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {crypt}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com

# grep getent passwd for ldap account on the client nothing turns up
after a long pause


[root at LCENT01:~] #getent passwd | grep walbs
[root at LCENT01:~] #


# nsswitch on the client

passwd:     files ldap
shadow:     files ldap
group:      files ldap
sudoers:    ldap
#hosts:     db files nisplus nis dns
hosts:      files dns


# this is what's going on in the logs on the ldap server during th
getent from the #client

Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 op=1 UNBIND
Feb 22 21:31:18 LBSD2 slapd[51158]: conn=3411 fd=22 closed
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 ACCEPT from
IP=192.168.1.42:53811 (IP=192.168.1.44:389)
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 BIND
dn="cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com" method=128
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=0 RESULT tag=97 err=49 text=
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 op=1 UNBIND
Feb 22 21:31:26 LBSD2 slapd[51158]: conn=3412 fd=22 closed

#ldap search from the client as the pam services account is able to
locate the ldap user info

[root at LCENT02:~] #ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap
,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com'
 '(uid=walbs)'
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (uid=walbs)
# requesting: ALL
#



# walbs, People, summitnjhome.com
dn: uid=walbs,ou=People,dc=summitnjhome,dc=com
uid: walbs
cn: Walkiria Soares
givenName: Walkiria
sn: Soares
mail: walbs at example.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1002
gidNumber: 1003

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


#pam_ldap services account in the ldap directory

3 cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword: {SSHA}secret


I have also tried doing anonymous binds on the client as well as using
plain text passwords. I get the same tag=97 err=49 messages on the
client either way.

Some advice is sorely needed here. Thank you very kindly in advance!

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-------------- next part --------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
# moduleload	back_hdb
# moduleload	back_ldap

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth


access to attrs=userPassword by self write
                             by anonymous auth


access to * by self write
            by dn.children="ou=staff,dc=summitnjhome,dc=com" write
            by users read
            by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=summitnjhome,dc=com"
rootdn		"cn=Manager,dc=summitnjhome,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw	       {SHA}IbITBYGVYI9Gk9EPAQEB5Fw+B4k=	
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/db/summitnjhome.com
# Indices to maintain
index	objectClass	eq


More information about the CentOS mailing list