PAM LDAP queries attempt to bind with empty binddn
Hello, all. We have just started to explore Debian Lenny as a platform
and have been delightfully impressed however we're hitting a problem
using LDAP authentication that we have not experienced in RedHat or
Ubuntu. We do not allow anonymous LDAP queries but rather
configure /etc/pam_ldap.conf with a binddn and bindpw.
Our LDAP queries are failing and, when we look at the access logs on our
CentOS Directory Server 8.1, we see the binddn is empty:
[10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49
[10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3
[10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL
[10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber"
[10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
[10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL
[10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber"
[10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
pam_ldap.conf looks like this:
base dc=ssiservices,dc=biz
uri ldap://ldap02.ssiservices.biz/
ldap_version 3
binddn uid=someid,dc=ssiservices,dc=biz
bindpw somelongpassword
#rootbinddn cn=manager,dc=padl,dc=com
We have disabled SSL for now.
nsswitch.conf looks like:
passwd: files ldap
group: files ldap
shadow: files ldap
We could very likely have a missing package. This is a vserver and they
install a very skeleton base system. For example, the system initially
did not query at all until we realized we needed to install passwd.
This is an X2Go print server (hopefully many desktops to come
immediately after!) so we have installed:
apt-get install locales less joe cups-x2go openssh-client cups
foomatic-db-gutenprint gutenprint-locales openprinting-ppds
cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl
libnss-ldap libpam-ldap nscd libpam-cracklib passwd
Here is how we set up pam and nscd:
edit /etc/pam.d/common-account to read:
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
edit /etc/pam.d/common-session so it reads:
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
edit /etc/pam.d/common-password so it reads:
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure md5
password required pam_deny.so
edit /etc/pam.d/common-auth so it reads:
auth sufficient pam_unix.so nullok_secure
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
Edit /etc/nscd.conf to change the group positive cache limit
(positive-time-to-live) to 600 seconds from the default 3600.
We've restarted the vserver several times to be sure. Even something as
simple is id <some user> fails and we see the empty DN. If we download
ldap-utils and do an ldapsearch, queries succeed using the parameters
given above in pam_ldap.conf. An almost identical setup works in both
CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what
did we do wrong? Any help would be greatly appreciated as I've lost days
tracking this down with no answer. Thanks - John
Reply to: