linux - LDAP user authentication using nslcd on Debian 8.x -

i installed in debian 8.5 package libpam-ldapd, proceeded configure file /etc/nslcd.conf following configuration:

# /etc/nslcd.conf # nslc  d configuration file. see nslcd.conf(5) # details.  # user , group nslcd should run as. uid nslcd gid nslcd  # location @ ldap server(s) should reachable. uri ldap://172.17.192.100  # search base used queries. base dc=myorg,dc=com  # ldap protocol version use. ldap_version 3  binddn cn=ldapuser,dc=myorg,dc=com bindpw secret  # search scope. #scope sub filter passwd (objectclass=person) map    passwd uid              samaccountname map    passwd uidnumber        employeeid map    passwd gidnumber        objectsid  filter shadow (objectclass=person) map    shadow uid              samaccountname

problem when logging server user@myorg.com have following log (auth sucessfull search fails due @myorg.com section, uses nslcd_pam_authc() function ):

nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_initialize(ldap://172.17.192.100) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_rebind_proc() nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_protocol_version,3) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_deref,0) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_timelimit,0) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_timeout,0) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_network_timeout,0) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_referrals,ldap_opt_on) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_set_option(ldap_opt_restart,ldap_opt_on) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_simple_bind_s("cn=isldap,dc=ti,dc=ads","***") (uri="ldap://172.17.192.100") nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_result(): end of results (0 total) nslcd: [8e1f29] <passwd="user@myorg.com"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user@myorg.com))") nslcd: [8e1f29] <passwd="user@myorg.com"> debug: ldap_result(): end of results (0 total) nslcd: [e87ccd] debug: connection pid=9046 uid=0 gid=0 nslcd: [e87ccd] <authc="user@myorg.com"> debug: nslcd_pam_authc("user@myorg.com","sshd","***") nslcd: [e87ccd] <authc="user@myorg.com"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user@myorg.com))") nslcd: [e87ccd] <authc="user@myorg.com"> debug: ldap_result(): end of results (0 total) nslcd: [e87ccd] <authc="user@myorg.com"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user@myorg.com))") nslcd: [e87ccd] <authc="user@myorg.com"> debug: ldap_result(): end of results (0 total) nslcd: [e87ccd] <authc="user@myorg.com"> debug: "user@myorg.com": user not found: no such object

if login using user search has success authentication not. (tries authenticate using full dn , ldap_sasl_bind() function)

nslcd: [8b4567] <host=10.0.2.2> debug: ldap_simple_bind_s("cn=ldapuserdc=myorg,dc=com","***") (uri="ldap://172.17.192.100") nslcd: [8b4567] <host=10.0.2.2> debug: ldap_result(): end of results (0 total) nslcd: [8b4567] <host=10.0.2.2> debug: myldap_search(base="ou=guatemala support team,ou=ti_service_accounts,dc=ti,dc=ads", filter="(&(objectclass=iphost)(iphostnumber=10.0.2.2))") nslcd: [8b4567] <host=10.0.2.2> debug: ldap_result(): end of results (0 total) nslcd: [7b23c6] debug: connection pid=9099 uid=0 gid=0 nslcd: [7b23c6] <passwd="user"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [7b23c6] <passwd="user"> debug: ldap_initialize(ldap://172.17.192.100) nslcd: [7b23c6] <passwd="user"> debug: ldap_set_rebind_proc() nslcd: [7b23c6] <passwd="user"> debug: ldap_simple_bind_s("cn=ldapuser,dc=myorg,dc=com","***") (uri="ldap://172.17.192.100") nslcd: [7b23c6] <passwd="user"> debug: ldap_result(): cn=user john doe,dc=myorg,dc=com nslcd: [7b23c6] <passwd="user"> cn=user john doe,dc=myorg,dc=com: objectsid: missing nslcd: [7b23c6] <passwd="user"> debug: ldap_result(): end of results (1 total) nslcd: [7b23c6] <passwd="user"> debug: myldap_search(base="ou=guatemala support team,ou=ti_service_accounts,dc=ti,dc=ads", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [7b23c6] <passwd="user"> debug: ldap_result(): end of results (0 total) nslcd: [3c9869] debug: connection pid=9099 uid=0 gid=0 nslcd: [3c9869] <passwd="user"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [3c9869] <passwd="user"> debug: ldap_result(): cn=user john doe,dc=myorg,dc=com nslcd: [3c9869] <passwd="user"> cn=user john doe,dc=myorg,dc=com: objectsid: missing nslcd: [3c9869] <passwd="user"> debug: ldap_result(): end of results (1 total) nslcd: [3c9869] <passwd="user"> debug: myldap_search(base="ou=guatemala support team,ou=ti_service_accounts,dc=ti,dc=ads", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [3c9869] <passwd="user"> debug: ldap_result(): end of results (0 total) nslcd: [334873] debug: connection pid=9099 uid=0 gid=0 nslcd: [334873] <passwd="user"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [334873] <passwd="user"> debug: ldap_result(): cn=user john doe,dc=myorg,dc=com nslcd: [334873] <passwd="user"> cn=user john doe,dc=myorg,dc=com: objectsid: missing nslcd: [334873] <passwd="user"> debug: ldap_result(): end of results (1 total) nslcd: [334873] <passwd="user"> debug: myldap_search(base="ou=guatemala support team,ou=ti_service_accounts,dc=ti,dc=ads", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [334873] <passwd="user"> debug: ldap_result(): end of results (0 total) nslcd: [b0dc51] debug: connection pid=9099 uid=0 gid=0 nslcd: [b0dc51] <authc="user"> debug: nslcd_pam_authc("user","sshd","***") nslcd: [b0dc51] <authc="user"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [b0dc51] <authc="user"> debug: ldap_initialize(ldap://172.17.192.100) nslcd: [b0dc51] <authc="user"> debug: ldap_set_rebind_proc() nslcd: [b0dc51] <authc="user"> debug: ldap_simple_bind_s("cn=ldapuserdc=myorg,dc=com","***") (uri="ldap://172.17.192.100") nslcd: [b0dc51] <authc="user"> debug: ldap_result(): cn=user john doe,dc=myorg,dc=com nslcd: [b0dc51] <authc="user"> debug: myldap_search(base="cn=user john doe,dc=myorg,dc=com", filter="(objectclass=*)") nslcd: [b0dc51] <authc="user"> debug: ldap_initialize(ldap://172.17.192.100) nslcd: [b0dc51] <authc="user"> debug: ldap_set_rebind_proc() nslcd: [b0dc51] <authc="user"> debug: ldap_sasl_bind("cn=user john doe,dc=myorg,dc=com","***") (uri="ldap://172.17.192.100") nslcd: [b0dc51] <authc="user"> debug: ldap_parse_result() result: invalid credentials: 80090308: ldaperr: dsid-0c0903d0, comment: acceptsecuritycontext error, data 52e, v2580 nslcd: [b0dc51] <authc="user"> debug: failed bind ldap server ldap://172.17.192.100: invalid credentials: 80090308: ldaperr: dsid-0c0903d0, comment: acceptsecuritycontext error, data 52e, v2580 nslcd: [b0dc51] <authc="user"> debug: ldap_unbind() nslcd: [b0dc51] <authc="user"> cn=user john doe,dc=myorg,dc=com: invalid credentials nslcd: [b0dc51] <authc="user"> debug: myldap_search(base="dc=myorg,dc=com", filter="(&(objectclass=person)(samaccountname=user))") nslcd: [b0dc51] <authc="user"> debug: ldap_result(): cn=user john doe,dc=myorg,dc=com

question: how should configured nslcd.conf if wanted to:

login user
search in samaccount field equal user

thank in advance , sorry long post.

in /etc/nslcd.conf, try changing (objectclass=person)

(&(objectcategory=person)(objectclass=user))

-jim

Trigger

Search This Blog

linux - LDAP user authentication using nslcd on Debian 8.x -

Comments

Post a Comment