OpenLDAP authentication

Todd O'Bryan toddobryan at gmail.com
Thu Oct 29 12:46:27 GMT 2009 

Hey all,

I'm trying to set up LDAP authentication and I think I'm almost there.
Here's what I get querying for testuser

sysadmin at server3:~$ ldapsearch -x uid=testuser
# extended LDIF
#
# LDAPv3
# base <dc=dupontmanual,dc=org> (default) with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, dupontmanual.org
dn: uid=testuser,ou=Users,dc=dupontmanual,dc=org
objectClass: account
objectClass: posixAccount
cn: testuser
uid: testuser
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: testuser
description: User account

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

As you can see, the user's password hash isn't visible. If I bind as
the ldap admin, I can see it:

sysadmin at server3:~$ ldapsearch -x -D cn=admin,dc=dupontmanual,dc=org
-W uid=testuser
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=dupontmanual,dc=org> (default) with scope subtree
# filter: uid=testuser
# requesting: ALL
#

# testuser, Users, dupontmanual.org
dn: uid=testuser,ou=Users,dc=dupontmanual,dc=org
objectClass: account
objectClass: posixAccount
cn: testuser
uid: testuser
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: testuser
description: User account
userPassword:: e1NTSEF9K1I4UmowRkRvVjFreXE5cDlLM1R3aTdtVEpPOWlodFk=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I've set up ldap-auth-config and libpam-ldap correctly, I think, so
that it queries the LDAP server when I ask for a user (it takes long
enough that I think it's contacting the server), but it can't find the
user.

sysadmin at server3:~$ id testuser
id: testuser: No such user

I suspect my ACLs are wrong, but I think anonymous users should be
able to authenticate users. Here's the ACL stuff:

sysadmin at server3:~$ ldapsearch -x -D cn=admin,cn=config -W -b
cn=config olcDatabase={1}hdb olcAccess
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: olcAccess
#

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=dupont
 manual,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=dupontmanual,dc=org" write by * read

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Can anyone see what's going wrong? Or does anyone know what command
PAM is running to try to id/auth the user so that I could run that
command myself and see what's going wrong?

Todd

More information about the edubuntu-users mailing list