Re: PAM LDAP queries attempt to bind with empty binddn
I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf.
That's what's used when lookup is done by process with effective user
id is 0.
On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III
<jsullivan@opensourcedevel.com> wrote:
> Hello, all. We have just started to explore Debian Lenny as a platform
> and have been delightfully impressed however we're hitting a problem
> using LDAP authentication that we have not experienced in RedHat or
> Ubuntu. We do not allow anonymous LDAP queries but rather
> configure /etc/pam_ldap.conf with a binddn and bindpw.
>
> Our LDAP queries are failing and, when we look at the access logs on our
> CentOS Directory Server 8.1, we see the binddn is empty:
>
> [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber"
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber"
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
>
> pam_ldap.conf looks like this:
>
> base dc=ssiservices,dc=biz
> uri ldap://ldap02.ssiservices.biz/
> ldap_version 3
> binddn uid=someid,dc=ssiservices,dc=biz
> bindpw somelongpassword
> #rootbinddn cn=manager,dc=padl,dc=com
>
> We have disabled SSL for now.
>
> nsswitch.conf looks like:
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
> We could very likely have a missing package. This is a vserver and they
> install a very skeleton base system. For example, the system initially
> did not query at all until we realized we needed to install passwd.
> This is an X2Go print server (hopefully many desktops to come
> immediately after!) so we have installed:
>
> apt-get install locales less joe cups-x2go openssh-client cups
> foomatic-db-gutenprint gutenprint-locales openprinting-ppds
> cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl
> libnss-ldap libpam-ldap nscd libpam-cracklib passwd
>
> Here is how we set up pam and nscd:
>
> edit /etc/pam.d/common-account to read:
> account required pam_unix.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> edit /etc/pam.d/common-session so it reads:
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_ldap.so
>
> edit /etc/pam.d/common-password so it reads:
> password sufficient pam_ldap.so
> password required pam_unix.so nullok obscure md5
> password required pam_deny.so
>
> edit /etc/pam.d/common-auth so it reads:
> auth sufficient pam_unix.so nullok_secure
> auth requisite pam_succeed_if.so uid >= 1000 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> Edit /etc/nscd.conf to change the group positive cache limit
> (positive-time-to-live) to 600 seconds from the default 3600.
>
> We've restarted the vserver several times to be sure. Even something as
> simple is id <some user> fails and we see the empty DN. If we download
> ldap-utils and do an ldapsearch, queries succeed using the parameters
> given above in pam_ldap.conf. An almost identical setup works in both
> CentOS 5.0.4 and Ubuntu Hardy. What is different with Debian and what
> did we do wrong? Any help would be greatly appreciated as I've lost days
> tracking this down with no answer. Thanks - John
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: