I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration.
Here are some logs : your help to diag would be appreciated. -> I have an ldap server that that stores posixAccount and respond to ldap queries. -> I have configure a client machine to use this ldap server for authentication when login : ***** LOGS *** **** CLIENT side **** login: olivier passe : Login incorrect **** SERVER when login on the client *** Here is what I see on the server side (IP=10.1.92.24) when I try to log in as "olivier" on the client (10.1.86.93) using /bin/login (debug level 256) : conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389) conn=1220 op=0 BIND dn="" method=128 conn=1220 op=0 RESULT tag=97 err=0 text= conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr" scope=2 deref=0 filter="(uid=olivier)" conn=1220 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= *** CLIENT When using ldappasswd ***** I manage to change the "userPassword" attributes using ldappasswd command, here are the logs on the client and server side : Client side : $ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= $ ldappasswd -h -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass $ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= *** SERVER side When using ldappasswd ***** Server side, here are the logs related to ldapppasswd : conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389) conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128 conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new conn=1000 op=1 RESULT oid= err=0 text= conn=1000 op=2 UNBIND conn=1000 fd=11 closed Thanks for your help, ---- Olivier On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard <oliv...@guillard.nom.fr> wrote: > Hello > > Here is the result of an ldapsearch on a client host : > > $ ldapsearch -h ldap-master1.mydomain.fr -D > "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" > > dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr > uid: olivier > loginShell: /bin/tcsh > cn: Olivier > uidNumber: 1130 > gidNumber: 18104 > homeDirectory: /home/olivier > objectClass: account > objectClass: posixAccount > objectClass: top > userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= > > I have the same output with this : > > $ ldapsearch -h ldap-master1.mydomain.fr -D > "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier > "uid=olivier" > > Although if I omit the -w I get this : > > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) disallowed > > > --->> the openldap server respond. > > ================ > > On the client side (fedora 14), I have followed the documentation to > set up for ldap authentication when login : > > /etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf > /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/ > > are configured for the system to query the ldap-master.mydomain.fr > server for authentication : > > in ldap.conf files I have : > > uri ldap://ldap-master1.mydomain.fr and > "rootbinddn cn=Manager,dc=mydomain,dc=fr" > > in nsswitch.conf : > passwd: ldap > shadow: ldap > > and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac > I have the lines : > > auth sufficient pam_ldap.so use_first_pass > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > password sufficient pam_ldap.so use_authtok > session optional pam_ldap.so > > I use no particular security mechanism at this stage at this stage (no > TLS, simple auth, etc.). > > ==== > > WITH ALL THIS, here is what I get in the logs when I try to login as > "olivier" on the client machine: > > Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server > ldap://ldap-master1.mydomain.fr: Can't contact LDAP server > Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server - > Server is unavailable > > Of course, i can't log in. > > Any help ??? I'm getting mad... > > ( may be could you suggest which debug level I should use on the > server to try to track what's going on). > > Thanks, > > --- > Olivier >