LDAP authentication on CentOS 7

centos ldap authentication pam
47,637

Running nslcd in debug mode shows the problem:

$ $(which nslcd) -d
...
nslcd: [8b4567] <authc="user.name"> DEBUG: myldap_search(base="dc=sub,dc=example,dc=org", filter="(&(objectClass=posixAccount)(uid=user.name))")
...
nslcd: [8b4567] <authc="user.name"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [8b4567] <authc="user.name"> DEBUG: "user.name": user not found: No such object
...

nslcd sets a filter by default. It's not possible to remove this filter or set it to blank.

Because none of my LDAP users has an objectClass called posixAccount the users cannot be found and the login is denied.

To fix this problem I had to overwrite this filter with an own one. Because I'm looking for the uid it's useful to set the filter on an attribute which is searched for anyways.

New content of my /etc/nslcd.conf:

filter passwd (uid=*)
uri ldap://172.16.64.25
base dc=sub,dc=example,dc=org
ssl no

After changing the nslcd.conf I had to restart the service nslcd: systemctl restart nslcd

Source: http://lists.arthurdejong.org/nss-pam-ldapd-users/2014/msg00025.html

.

This seems to be a problem for _nss-pam-ldapd-0.8.13-8.el7.x86_64_ on CentOS 7!

$ nslcd -V
nss-pam-ldapd 0.8.13

I tried to reproduce the problem on CentOS 6, but on this nss-pam-ldapd has dependencies to pam_ldap which has its config file in /etc/pam_ldap.conf and seems to not use /etc/nslcd.conf in the way it works on CentOS 7.

Share:
47,637

Related videos on Youtube

lszrh
Author by

lszrh

Updated on September 18, 2022

Comments

  • lszrh
    lszrh over 1 year

    After upgrading to CentOS 7 it's no longer possible to login via LDAP. With CentOS 6 I used the package pam_ldap which worked fine, but now pam_ldap is no longer available for the new version of CentOS.

    Connecting via ldapsearch still works fine, but trying to authenticate via ssh does not work.

    I reinstalled the package nss-pam-ldapd and reconfigured authentication via authconfig-tui, but it still does not work.

    Below I replace my username with user.name and the base with dc=sub,dc=example,dc=org.

    My host OS is a CentOS 7. All currently available updates are installed.

    $ uname -a
Linux isfet 3.10.0-123.8.1.el7.x86_64 #1 SMP Mon Sep 22 19:06:58 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

    Installed packages

    $ rpm -qa | grep -i ldap
openldap-2.4.39-3.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
openldap-clients-2.4.39-3.el7.x86_64

    Content of /etc/openldap/ldap.conf

    URI ldap://172.16.64.25
BASE dc=sub,dc=example,dc=org

    Content of /etc/nslcd.conf

    ldap_version 3
uri ldap://172.16.64.25
base dc=sub,dc=example,dc=org
ssl no

    Output of /var/log/secure

    Oct  6 12:12:16 isfet sshd[3937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.64.1  user=user.name
Oct  6 12:12:17 isfet sshd[3937]: Failed password for user.name from 172.16.64.1 port 18877 ssh2

    Output of /var/log/audit/audit.log

    type=USER_AUTH msg=audit(1412590243.286:364): pid=3912 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="user.name" exe="/usr/sbin/sshd" hostname=172.16.64.1 addr=172.16.64.1 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1412590243.287:365): pid=3912 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="user.name" exe="/usr/sbin/sshd" hostname=? addr=172.16.64.1 terminal=ssh res=failed'

    Output of the command ldapserach

    $ ldapsearch -H ldap://172.16.64.25/ -D cn=Manager,dc=sub,dc=example,dc=org -W -x -b dc=sub,dc=example,dc=org -d1

ldap_url_parse_ext(ldap://172.16.64.25/)
ldap_create
ldap_url_parse_ext(ldap://172.16.64.25:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.16.64.25:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.64.25:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 61 bytes to sd 3
ldap_result ld 0x7f9b07402110 msgid 1
wait4msg ld 0x7f9b07402110 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f9b07402110 msgid 1 all 1
** ld 0x7f9b07402110 Connections:
* host: 172.16.64.25  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Mon Oct  6 12:04:38 2014


** ld 0x7f9b07402110 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f9b07402110 request count 1 (abandoned 0)
** ld 0x7f9b07402110 Response Queue:
   Empty
  ld 0x7f9b07402110 response count 0
ldap_chkResponseList ld 0x7f9b07402110 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f9b07402110 NULL
ldap_int_select
read1msg: ld 0x7f9b07402110 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 50 contents:
read1msg: ld 0x7f9b07402110 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f9b07402110 0 new referrals
read1msg:  mark request completed, ld 0x7f9b07402110 msgid 1
request done: ld 0x7f9b07402110 msgid 1
res_errno: 0, res_error: <>, res_matched: <cn=Manager,dc=sub,dc=example,dc=org>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Success (0)
        matched DN: cn=Manager,dc=sub,dc=example,dc=org
...

    Content of _/etc/pam.d/password-auth

    auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

    Content of _/etc/pam.d/system-auth

    auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
    • Andy
      Andy over 9 years
      Do you get any results from running "getent passwd user.name" or "su - user.name"?
    • Andrew B
      Andrew B over 9 years
      Doesn't pam_ldap use a different file than /etc/openldap/ldap.conf? I want to say /etc/ldap.conf, offhand. I'd try to debug the module by adding the debug option for added logging verbosiry, i.e. auth sufficient pam_ldap.so use_first_pass debug. Beyond this I think that the question has been muddied by you following Joffrey's advice. Please revert to your original configuration if you want others to be able to help you.
    • Andrew B
      Andrew B over 9 years
      Can you add the contents of /etc/ldap.conf?
  • Andrew B
    Andrew B over 9 years
    Yes, the pam_ldap naming collisions are very confusing. :( There are multiple implementations that all lay claim to that module name.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

pam_ldap and ldaps can't contact ldap server
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok
Public key authentication for LDAP users using local authorized_keys
Cyrus on CentOS with sasl / pam / ldap
How to I authenticate with Dovecot + IMAP + PAM on CentOS?
Where do I specify the Bind DN and password for sss+ldap?
PAM, RADIUS, Google Authenticator and Two Factor Auth
How to only allow users and/or groups access certain client machines that are connected to an openldap server?