'[pamldap] Re: [nssldap] nss_ldap and pam_ldap authentication Issus..'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Re: [nssldap] nss_ldap and pam_ldap authentication Issus..
From:       "Shiqi X He" <Shiqi.X.He () household ! com>
Date:       2004-01-23 18:04:30
Message-ID: OFF5A2A524.E897288F-ON86256E24.00627EAD () household ! com
[Download RAW message or body]

Further investigation showed on the ldap server side, the binding changed
to anonymous for emp712, that may have caused the second password prompt(?)
. In the ldap.conf file I have setup the binding DN to avoind the anonymous
binding, but that still happened.

LDAP server side debug info:

conn=39 fd=18 ACCEPT from IP=127.0.0.1:34429 (IP=0.0.0.0:389)
conn=39 op=0 BIND dn="cn=admin,dc=hi,dc=com" method=128
conn=39 op=0 BIND dn="cn=admin,dc=hi,dc=com" mech=simple ssf=0
conn=39 op=0 RESULT tag=97 err=0 text=
conn=39 op=1 SRCH base="ou=people,dc=hi,dc=com" scope=1
filter="(&(objectClass=posixAccount)(uid=emp712))"
conn=39 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=39 op=2 BIND anonymous mech=implicit ssf=0
conn=39 op=2 BIND dn="cn=admin,dc=hi,dc=com" method=128
conn=39 op=2 BIND dn="cn=admin,dc=hi,dc=com" mech=simple ssf=0
conn=39 op=2 RESULT tag=97 err=0 text=
conn=39 op=3 BIND anonymous mech=implicit ssf=0
conn=39 op=3 BIND dn="uid=emp712,ou=People,dc=hi,dc=com" method=128
conn=39 op=3 RESULT tag=97 err=49 text=
<<<<<<<<<<<<========================
conn=39 op=4 BIND dn="cn=admin,dc=hi,dc=com" method=128
conn=39 op=4 BIND dn="cn=admin,dc=hi,dc=com" mech=simple ssf=0
conn=39 op=4 RESULT tag=97 err=0 text=
conn=40 fd=19 ACCEPT from IP=127.0.0.1:34430 (IP=0.0.0.0:389)
conn=40 op=0 BIND dn="cn=admin,dc=hi,dc=com" method=128
conn=40 op=0 BIND dn="cn=admin,dc=hi,dc=com" mech=simple ssf=0
conn=40 op=0 RESULT tag=97 err=0 text=
conn=40 op=1 SRCH base="ou=people,dc=hi,dc=com" scope=1
filter="(&(objectClass=shadowAccount)(uid=emp712))"
conn=40 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax
shadowMin shadowWarning shadowInactive shadowExpire
conn=40 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

==>  got the second password prompt here:

conn=40 op=2 SRCH base="ou=people,dc=hi,dc=com" scope=1
filter="(&(objectClass=shadowAccount)(uid=emp712))"
conn=40 op=2 SRCH attr=uid userPassword shadowLastChange shadowMax
shadowMin shadowWarning shadowInactive shadowExpire
conn=40 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=40 op=3 SRCH base="ou=group,dc=hi,dc=com" scope=1
filter="(&(objectClass=posixGroup)(memberUid=emp712))"
conn=40 op=3 SRCH attr=cn userPassword memberUid gidNumber
<= bdb_equality_candidates: (memberUid) index_param failed (18)
conn=40 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=40 fd=19 closed
conn=39 op=5 UNBIND
conn=39 fd=18 closed


                                                                                      \
                
                         "Shiqi X He"                                                 \
                
                         <Shiqi.X.He@household  To:    nssldap@padl.com, \
                pamldap@padl.com                 
                         .com>                  cc:                                   \
                
                         Sent by:               Subject: [nssldap] nss_ldap and \
                pam_ldap authentication   
                         owner-nssldap@PADL.CO         Issus..                        \
                
                         M                                                            \
                
                                                                                      \
                
                                                                                      \
                
                         01/23/2004 10:02 AM                                          \
                
                                                                                      \
                
                                                                                      \





Hi All,

With the help form members in this group, we are able to setup a test
openldap server to work with the nss_ldap and pam_ldap modules from PADL(
In the first try we did no use the ssl)

Login from the client through LDAP seems working, except that we got two
password prompt. I need to type in the same LDAP user password  to login.
There is no entry for this user emp712 in the local passwd and shadow
files. Here is the nss_ldap debugging messages during the login:

===================================

#       ######     #    ######          ####### #######  #####  #######
#       #     #   # #   #     #            #    #       #     #    #
#       #     #  #   #  #     #            #    #       #          #
#       #     # #     # ######             #    #####    #####     #
#       #     # ####### #                  #    #             #    #
#       #     # #     # #                  #    #       #     #    #
####### ######  #     # #       #######    #    #######  #####     #

login: emp712
Password:
nss_ldap: ==> _nss_ldap_default_constr
nss_ldap: <== _nss_ldap_default_constr
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_getbyname
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_open
nss_ldap: ==> do_close_no_unbind
nss_ldap: <== do_close_no_unbind (connection was not open)
nss_ldap: ==> ldap_initialize
nss_ldap: <== ldap_initialize
nss_ldap: ==> do_bind
nss_ldap: <== do_bind
nss_ldap: ==> do_set_sockopts
nss_ldap: <== do_set_sockopts
nss_ldap: <== do_open
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectclass=shadowAccount)(uid=emp712))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> do_parse_s
nss_ldap: ==> _nss_ldap_assign_userpassword
nss_ldap: <== _nss_ldap_assign_userpassword
nss_ldap: <== do_parse_s
nss_ldap: ==> _nss_ldap_ent_context_release
nss_ldap: <== _nss_ldap_ent_context_release
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
nss_ldap: <== _nss_ldap_getbyname
Password:
nss_ldap: ==> _nss_ldap_default_constr
nss_ldap: <== _nss_ldap_default_constr
nss_ldap: ==> _nss_ldap_enter
nss_ldap: <== _nss_ldap_enter
nss_ldap: ==> _nss_ldap_search_s
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_filter
nss_ldap: :== do_filter: (&(objectclass=posixGroup)(memberUid=emp712))
nss_ldap: <== do_filter
nss_ldap: ==> do_with_reconnect
nss_ldap: ==> do_open
nss_ldap: <== do_open
nss_ldap: ==> do_search_s
nss_ldap: <== do_search_s
nss_ldap: <== do_with_reconnect
nss_ldap: <== _nss_ldap_search_s
nss_ldap: ==> _nss_ldap_leave
nss_ldap: <== _nss_ldap_leave
Last login: Thu Jan 22 22:12:09 from phdcap18.househ
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
$
====================================================

Looks like that after the  second time passwd prompt the nss/pam just
search the group objectclass . emp712 is not specially showed up in any
group, and we do not have the memberUid indexed. The search failed.  Going
back on the history some folks got the similar issue but I could not find
the answer or solution.

On the system we tried to login the PAM auth_debug log showed one line of
messages:
======
Jan 23 09:37:26 wdillbap06 login: [ID 244269 auth.error] pam_ldap: error
trying
to bind as user "uid=emp712,ou=People,dc=hi,dc=com" (Invalid credentials)
======
But how that I can still login after typing the same password?

Any help/suggestions would be appreciated.


Thanks.


Erik S. He


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic