 | | | SOLVED: RHEL 3.8 LDAP Auth Failure | SOLVED: RHEL 3.8 LDAP Auth Failure 2007-05-07 - By Joshua M. Miller
Back
I compared the files in the nss_ldap RPM (between redhat/centos) and
discovered that the checksums were different (probably obvious) which
prompted me to try the CentOS nss_ldap package on the Redhat box. This
solved my problem so that the Redhat box now authenticates properly
against an OpenLDAP directory with proper ACLs in place.
I see in REdhats bugzilla that a bug was filed against this version of
nss_ldap where a guy's AD auth failed...and the symptoms are the same as
what I had.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=197261
I will follow up with the issue there.
Thanks,
--
Joshua M. Miller - RHCE,VCP
Joshua M. Miller wrote:
> I have done some more testing and analyzed some log output to find some
> interesting results.
>
> I set logging to 'any' and re-enabled the ACL on the userPassword
> attribute to see what I could find out. I attempted a connection with
> the redhat host, and then with the centos host, saving the logs to a
> separate file for each one.
>
> After analyzing the resulting (verbose) logs, I found out something very
> interesting ? the redhat host does not make any subsequent bind attempts
> after the initial bind, while the centos host makes 3 binds.
>
> Basic overview of centos login (from ldap server logs):
>
> 1. bind anonymously to directory to obtain account information (enable
> to mount home directory, etc...)
> 2. bind anonymously to directory to attempt to get userPassword attr -
> this fails on ACL restraint
> 3. bind as DN of user to directory to get userPassword attr - this
> succeeds (if pw is correct)
>
> Redhat host only performs the first bind (according to ldap server
> logs), which leads me to believe that PAM is the culprit here and not
> passing the login request to pam_ldap, but leaving it at pam_unix...
> Very odd.
>
>
> Thanks,
> --
> Joshua M. Miller - RHCE,VCP
>
>
> Joshua M. Miller wrote:
>> Hi John,
>>
>> The issue here is that a RHEL 3.8 host is having trouble
>> authenticating and a CentOS 3.8 host with an identical configuration
>> is authenticating perfectly against the same LDAP server. Both hosts
>> have identical:
>>
>> /etc/ldap.conf
>> /etc/openldap/ldap.conf
>> /etc/pam.d/system-auth
>> /etc/nsswitch.conf
>>
>> It doesn't make any sense at all... I'm comparing packages right now
>> to make sure that they have all of the same packages installed.
>>
>> (I do have SSL/TLS enabled on the LDAP server as a requirement, I just
>> disabled it momentarily to make sure that wasn't the problem.)
>>
>> Thanks, your help is much appreciated!
>> --
>> Joshua M. Miller - RHCE,VCP
>>
>>
>> John Haxby wrote:
>>> Joshua M. Miller wrote:
>>>> Turns out the problem is with the ACL on the ldap server. For some
>>>> reason RHEL 3.8 attempts to bind to the LDAP server to retrieve the
>>>> password anonymously unlike the other Linux distros that we use
>>>> configured the exact same way.
>>>>
>>>> Anyone know why this might be?
>>>>
>>> I don't know why, but I know that you can configure an authenticated
>>> bind in /etc/ldap.conf (I think that's the file that pam_ldap uses, I
>>> don't have it installed here to check, sorry).
>>>
>>> I don't think pam_ldap retrieves the password though, I think it
>>> searches for the user according to the filter specified in
>>> /etc/ldap.conf and then does an authenticated bind with the resulting
>>> DN. It then does an authenticated bind with the user's DN and if
>>> successful, you're in. (This is all from reading the code from
>>> memory, sorry.) pam_ldap also retrieves other information from the
>>> user's entry in the LDAP server and uses that to determine, for
>>> example, whether the account is locked in the account phase.
>>>
>>> Anyway, what's failing is the anonymous search and you can configure
>>> that in /etc/ldap.conf. You might also want to turn on TLS because
>>> at some stage chances are its sending the user's password in
>>> cleartext across the net. TLS might be enabled by default or it
>>> might be up to /etc/openldap/ldap.conf to enable it.
>>>
>>> If that's not enough I can be more definitve when I'm on my normal
>>> work machine, sorry.
>>>
>>> jch
>>>
>>> --
>>> Taroon-list mailing list
>>> Taroon-list@(protected)
>>> https://www.redhat.com/mailman/listinfo/taroon-list
>>>
>>
>> --
>> Taroon-list mailing list
>> Taroon-list@(protected)
>> https://www.redhat.com/mailman/listinfo/taroon-list
>>
>
> --
> Taroon-list mailing list
> Taroon-list@(protected)
> https://www.redhat.com/mailman/listinfo/taroon-list
>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|