Folks, I'm attempting to set up LDAP authentication against my OpenDS server on a Gentoo box. I've been struggling with this for several days now with no progress.
Here's the rundown of how things are configured (fairly straight forward): - OpenDS server has the following entry (gathered directly from ldapsearch output), below. Note that clearly the LDAP server is properly configured if it's responding to an ldapsearch on the client with no problems. ldap ~ # ldapsearch -H ldap://auth.whatever.com "objectclass=posixAccount" dn: cn=tb,ou=it,dc=whatever,dc=com uid: tb initials: tb objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: top givenName: Thomas cn: tb sn: Bellview telephoneNumber: 333.555.3333 homeDirectory: /home/tb uidNumber: 10001 mail: t...@whatever.com gidNumber: 10001 - /etc/ldap.conf base ou=it,dc=whatever,dc=com uri ldaps://auth.whatever.com ldap_version 3 tls_reqcert allow pam_password exop pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid nss_base_passwd ou=it,dc=whatever,dc=com nss_base_shadow ou=it,dc=whatever,dc=com nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,www-data timelimit 5 bind_timelimit 5 - Likewise, /etc/openldap/ldap.conf BASE ou=it,dc=whatever,dc=com URI ldaps://auth.whatever.com TLS_REQCERT allow #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never Simple problem: authentication fails. On the CLIENT I see the following in the log files: ==> auth.log <== Nov 3 06:26:03 s_dg...@client.whatever.com sshd[2650]: error: PAM: Authentication failure for tb from blah.whatever.com On the SERVER I see the following: [03/Nov/2010:06:27:05 -0400] CONNECT conn=314 from=10.1.1.166:44879 to= 10.1.1.115:389 protocol=LDAP [03/Nov/2010:06:27:05 -0400] BIND REQ conn=314 op=0 msgID=1 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=314 op=0 msgID=1 result=0 authDN="" etime=0 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=1 msgID=2 result=0 nentries=1 etime=1 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=314 op=2 msgID=3 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectClass=posixAccount)(uid=tb))" attrs="uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=314 op=2 msgID=3 result=0 nentries=1 etime=1 [03/Nov/2010:06:27:05 -0400] CONNECT conn=315 from=10.1.1.166:44879 to= 10.1.1.115:389 protocol=LDAP [03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=0 msgID=1 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=0 msgID=1 result=0 authDN="" etime=0 [03/Nov/2010:06:27:05 -0400] SEARCH REQ conn=315 op=1 msgID=2 base="ou=it,dc=whatever,dc=com" scope=wholeSubtree filter="(&(objectclass=posixAccount)(uid=tb))" attrs="ALL" [03/Nov/2010:06:27:05 -0400] SEARCH RES conn=315 op=1 msgID=2 result=0 nentries=1 etime=0 [03/Nov/2010:06:27:05 -0400] BIND REQ conn=315 op=2 msgID=3 type=SIMPLE dn="" [03/Nov/2010:06:27:05 -0400] BIND RES conn=315 op=2 msgID=3 result=0 authDN="" etime=0 [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=315 reason="Client Disconnect" [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=314 reason="Client Disconnect" [03/Nov/2010:06:27:07 -0400] DISCONNECT conn=309 reason="Client Disconnect" Looks fine, right? Well not really. If I run an ldapsearch *exactly* as it appears in the SERVER's log, it returns the user. ldap ~ # ldapsearch -H ldap://auth.whatever.com -b "ou=it,dc=whatever,dc=com" "(&(objectclass=posixAccount)(uid=tb))" # extended LDIF # # LDAPv3 # base <ou=it,dc=whatever,dc=com> with scope subtree # filter: (&(objectclass=posixAccount)(uid=tb)) # requesting: ALL # # tb, it, whatever.com dn: cn=tb,ou=it,dc=whatever,dc=com uid: tb initials: tb objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: top givenName: Thomas cn: tb sn: Bellview telephoneNumber: 333.555.3333 homeDirectory: /home/tb uidNumber: 10001 mail: t...@whatever.com gidNumber: 10001 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 This has me pulling my hairs out. Clearly the manual ldapsearch works. The only thing I can think of is the "scope=wholeSubtree" or the "attrs=ALL" breaking the query; clearly the applied filters work without any issues. Thoughts / ideas would be greatly appreciated. -james
