nscd: nss_ldap: could not search LDAP server - Server is unavailable

[Santhosh]

Hi all,
I have been trying to integrate pam_ldap in my CentOS machine. I
installed the pam_ldap package through yum.
/lib64/security/pam_ldap.so is present.
I did necessary changes in the /etc/pam.d/login, sshd, passwd files
to first look into the shadow file then fallback to ldap. but Im able
to authenticate the users whose password in the shadow file. But when
I try to authenticate the user whose information stored in the ldap,
it is failing complaining that "pam_ldap: error trying to bind
(Invalid credentials)".
I have also tried the ldapsearch command line utility of the ldap
there the same Dn, user, password are working and successfully able to
connect the ldap server.
I have done necessary changes in the /etc/ldap.conf.
# this file must be world readable (0644)
BASE DC=my,DC=example,DC=com

# FQDN of the LDAP server
#HOST XXX.XXX.XXX.XXX

# encryption used for storing passwords
#pam_crypt

#ldap_version 3

# bindpw is only needed if you want to allow root to change entries on
# this host.
# it's also better to keep the password in /etc/ldap.secret (0600)
instead
#bindpw {crypt}4rKJLSLewr
#base DC=my,DC=example,DC=com
uri ldap://newldap.my.example.com
binddn CN=santhosh,OU=Service Accounts,OU=Enterprise
Services,DC=my,DC=example,DC=com
bindpw santhosh123
#{md5}ea7bb3f922e875d6efc3a3fbbbada590
port 389
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_password crypt
ssl no
scope LDAP_SCOPE_BASE
# this one is to allow root to change entries
# it will require bindpw or password in /etc/ldap.secret
#rootbinddn cn=root,dc=example,dc=com
#rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise
Services,DC=my,DC=example,DC=com

# this for group access
nss_base_passwd DC=my,DC=example,DC=com
nss_base_shadow DC=my,DC=example,DC=com
nss_base_group OU=Service Accounts,OU=Enterprise
Services,DC=my,DC=example,dc=com
nss_reconnect_tries 60
pam_filter objectclass=posixAccount
pam_login_attribute uid

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# TBD: where to put this certificate anyway?


Any one has expertise on it ?. Appreciate if anyone can help.

Thanks,
Santhosh

[Bryan Smith]

Have you changed anything in the following: /etc/nsswitch.conf and your /etc/slapd/ldap.conf or /etc/ldap.conf

What do they look like?

You might not have the right uri and or basedn specified in your ldap.conf. If you're nsswitch is untouched the system isn't even asking for ldap lookups via pam, it's just going to files.

What is the result of running :

getent username

Use a username that is both in ldap and in files(/etc/passwd) and one that isn't. You should get s double response on the user in both files and ldap and a single on the one that's just in ldap. If you get nothing from the later then you're issue is with nss.

--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com
To unsubscribe, send email to linuxusersgro...@googlegroups.com
For more options, visit our group at http://groups.google.com/group/linuxusersgroup
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)

--
A healthy diet  includes Linux, Linux, and more Linux.

[Santhosh G Nayak]

My configuration is such that  I'm able to execute command "id" and get uid and gid information of the user in the ldap. But when I try to do an authentication its failing saying that,
"python: pam_ldap: error trying to bind (Invalid credentials). "
I'm basically using python client to authenticate against the pam.
I have set the ,
ssl no
in the /etc/ldap.conf.
and
bindpw <unencrypted password>

And also I'm able do ldapsearch from the same machine.

Thanks,
Santhosh

References can be found at: http://goo.gl/anqri

[Bryan Smith]

Santhosh,

What python client are you trying to use? Are you sure the users aren't in files too? You didn't post your /etc/ldap.conf and that is THE pam_ldap config, so if your credentials are correct then either the client is using a bad uri or the ldap.conf improperly configured. You should enable debug in the ldap.conf and see what pam is having issues with.  The next hing for you to do is start slapd in debug mode from the command line and see exactly what information is being queried by the python client. How do you even know it's reaching the server in the first place?

Just because you can run ldapsearch and get gecos information doesn't mean that you can bind with credentials successfully. Do you allow anonymous binds? You can get this information anonymously depending on how your configuration is setup. 

Most issues are from using the wrong base dn.

[Santhosh G Nayak]

Hi,

    I'm using PyPAM python client to connect to pam.  Yes the users are not in unix shadow file.

And also when I execute the, 

$getent passwd  command

I could see the all users ( user from the /etc/passwd + users from the ldap)

I tried with ldap.conf debug 31. 

There could see the error code 49. when trying to authenticate.

Im not using ssl,  "ssl" in ldap.conf is marked as "no".

I'm still not able to understand why the client is not binding to the ldap server for authentication..

it still says, 

"python: pam_ldap: error trying to bind (Invalid credentials)" in /var/log/messages.

Thank,

Santhosh

[Bryan Smith]

Santhosh buddy,

You need to start slapd in debug mode also and see what dn is being queried with the credentials...you'll see it all in plaintext. You should also try to import an ldif or do an ldapmodify from the command line using the same dn and credentials. If those fail it could be one of 4 things:

1. you're using the wrong cn=admin/manager 

2. your credentials are incorrect

3. the acl does provide you with the correct rights.

4. you still have the wrong dn which is a part of issue 1.

Beyond you sharing your configs I cant help you any more, I hope you get it figured out,

Bryan

[Santhosh G Nayak]

Hi,

    The issue is resolved now. There was configuration problem in /etc/sssd/sssd.conf. Thanks for the help.

I have another problem. I'm using pam_mysql for authenticating against the user credentials in mysql database.

For that we use database credentials in /etc/pam.d/* files, like,

auth     sufficient    pam_mysql.so   host=<hostname> user=root passwd=root123 db=<dbname> table=users passwdcolumn=password usercolumn=username   crypt=3  use_first_pass

But these /etc/pam.d/* files are world readable. So any non root users can see the credentials and hack into the our database.(security issue).

Is there any way to integrate this pam_mysql authentication with sssd so that we don't have provide the ,

auth     sufficient    pam_mysql.so   host=<hostname> user=root passwd=root123 db=<dbname> table=users passwdcolumn=password usercolumn=username   crypt=3  use_first_pass

 

line in the /etc/pam.d/* files.?

I'm Using:- Centos 5.3

Is there any way to handle it like way in ldap.

Like the way we specify ldap info in the /etc/sssd/sssd.conf.

so that we no need to add the following line,

auth    sufficient   pam_ldap.so   use_first_pass

in the /etc/pam.d/* files.

The configuration is taken from sssd.conf itself.

Thanks & Regards,

Santhosh

[Kevin Zhang]

Hi,Santhosh 

How did you resolved this issue?  what's wrong with /etc/sssd/sssd.conf.

I also met a same error msg as you, and I'm looking the way to resolve it.

Thanks.