Jo Rhett
2010-06-04 22:50:26 UTC
I'm seeing a problem where I can authenticate as a user using the ldap tools (ie ldapsearch) but I am unable to login using PAM.
Comparing debug on the server shows that ldapsearch is doing a new BIND, where's PAM is not:
Jun 4 14:58:52 ldap-server slapd[5158]: => dn: [1]
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_get: [2] attr userPassword
Jun 4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)
Jun 4 14:58:52 ldap-server slapd[5158]: <= check a_dn_pat: anonymous
Jun 4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) (stop)
Jun 4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd)
Jun 4 14:58:52 ldap-server slapd[5158]: => access_allowed: auth access granted by auth(=xd)
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched="" text=""
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_response: msgid=3 tag=97 err=49
Jun 4 14:58:52 ldap-server slapd[5158]: conn=75 op=2 RESULT tag=97 err=49 text=
Now ldapsearch has identical debug output down until just below the access_allowed line.
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_get: [2] attr userPassword
Jun 4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)
Jun 4 15:02:54 ldap-server slapd[5158]: <= check a_dn_pat: anonymous
Jun 4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) (stop)
Jun 4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd)
Jun 4 15:02:54 ldap-server slapd[5158]: => access_allowed: auth access granted by auth(=xd)
Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND dn="uid=jrhett,ou=Users,dc=equinix,dc=com" mech=SIMPLE ssf=0
Jun 4 15:02:54 ldap-server slapd[5158]: do_bind: v3 bind: "uid=jrhett,ou=Users,dc=equinix,dc=com" to "uid=jrhett,ou=Users,dc=equinix,dc=com"
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: conn=83 op=0 p=3
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: err=0 matched="" text=""
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 err=0
Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0 text=
Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1 descriptor
Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on:
Can someone give me a clue what's going wrong here?
The key to this problem is that I'm trying to avoid putting system logins, rootbinddns on each server, and just do anonymous bind's for authentication. No configuration file on this client has a valid Manager or any other authentication password, and I'm trying to keep it that way. In theory, this should work ;-) I mean, ldapsearch works fine ...
Comparing debug on the server shows that ldapsearch is doing a new BIND, where's PAM is not:
Jun 4 14:58:52 ldap-server slapd[5158]: => dn: [1]
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_get: [2] attr userPassword
Jun 4 14:58:52 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun 4 14:58:52 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)
Jun 4 14:58:52 ldap-server slapd[5158]: <= check a_dn_pat: anonymous
Jun 4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) (stop)
Jun 4 14:58:52 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd)
Jun 4 14:58:52 ldap-server slapd[5158]: => access_allowed: auth access granted by auth(=xd)
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: conn=75 op=2 p=3
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_result: err=49 matched="" text=""
Jun 4 14:58:52 ldap-server slapd[5158]: send_ldap_response: msgid=3 tag=97 err=49
Jun 4 14:58:52 ldap-server slapd[5158]: conn=75 op=2 RESULT tag=97 err=49 text=
Now ldapsearch has identical debug output down until just below the access_allowed line.
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_get: [2] attr userPassword
Jun 4 15:02:54 ldap-server slapd[5158]: access_allowed: no res from state (userPassword)
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_mask: access to entry "uid=jrhett,ou=Users,dc=equinix,dc=com", attr "userPassword" requested
Jun 4 15:02:54 ldap-server slapd[5158]: => acl_mask: to value by "", (=0)
Jun 4 15:02:54 ldap-server slapd[5158]: <= check a_dn_pat: anonymous
Jun 4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] applying auth(=xd) (stop)
Jun 4 15:02:54 ldap-server slapd[5158]: <= acl_mask: [1] mask: auth(=xd)
Jun 4 15:02:54 ldap-server slapd[5158]: => access_allowed: auth access granted by auth(=xd)
Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 BIND dn="uid=jrhett,ou=Users,dc=equinix,dc=com" mech=SIMPLE ssf=0
Jun 4 15:02:54 ldap-server slapd[5158]: do_bind: v3 bind: "uid=jrhett,ou=Users,dc=equinix,dc=com" to "uid=jrhett,ou=Users,dc=equinix,dc=com"
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: conn=83 op=0 p=3
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_result: err=0 matched="" text=""
Jun 4 15:02:54 ldap-server slapd[5158]: send_ldap_response: msgid=1 tag=97 err=0
Jun 4 15:02:54 ldap-server slapd[5158]: conn=83 op=0 RESULT tag=97 err=0 text=
Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on 1 descriptor
Jun 4 15:02:54 ldap-server slapd[5158]: daemon: activity on:
Can someone give me a clue what's going wrong here?
The key to this problem is that I'm trying to avoid putting system logins, rootbinddns on each server, and just do anonymous bind's for authentication. No configuration file on this client has a valid Manager or any other authentication password, and I'm trying to keep it that way. In theory, this should work ;-) I mean, ldapsearch works fine ...
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness