Re: PAM LDAP queries attempt to bind with empty binddn

To: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
Cc: debian-user@lists.debian.org
Subject: Re: PAM LDAP queries attempt to bind with empty binddn
From: Predrag Gavrilovic <gavrilovic@gmail.com>
Date: Wed, 10 Feb 2010 21:30:36 +0100
Message-id: <[🔎] 690842eb1002101230m2c4c9878q6cfe4af10ddc1a03@mail.gmail.com>
In-reply-to: <[🔎] 1265818025.3738.19.camel@localhost>
References: <[🔎] 1265818025.3738.19.camel@localhost>

I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf.
That's what's used when lookup is done by process with effective user
id is 0.


On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III
<jsullivan@opensourcedevel.com> wrote:
> Hello, all.  We have just started to explore Debian Lenny as a platform
> and have been delightfully impressed however we're hitting a problem
> using LDAP authentication that we have not experienced in RedHat or
> Ubuntu.  We do not allow anonymous LDAP queries but rather
> configure /etc/pam_ldap.conf with a binddn and bindpw.
>
> Our LDAP queries are failing and, when we look at the access logs on our
> CentOS Directory Server 8.1, we see the binddn is empty:
>
> [10/Feb/2010:10:01:47 -0500] conn=52684 fd=74 slot=74 connection from 172.29.2.8 to 172.30.10.49
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 BIND dn="" method=128 version=3
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=debian-xfs))" attrs=ALL
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=1 RESULT err=0 tag=101 nentries=0 etime=0
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=debian-xfs))" attrs="gidNumber"
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=nobody))" attrs=ALL
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=3 RESULT err=0 tag=101 nentries=0 etime=0
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=nobody))" attrs="gidNumber"
> [10/Feb/2010:10:01:47 -0500] conn=52684 op=4 RESULT err=0 tag=101 nentries=0 etime=0 notes=U
>
> pam_ldap.conf looks like this:
>
> base dc=ssiservices,dc=biz
> uri ldap://ldap02.ssiservices.biz/
> ldap_version 3
> binddn uid=someid,dc=ssiservices,dc=biz
> bindpw somelongpassword
> #rootbinddn cn=manager,dc=padl,dc=com
>
> We have disabled SSL for now.
>
> nsswitch.conf looks like:
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
>
> We could very likely have a missing package.  This is a vserver and they
> install a very skeleton base system.  For example, the system initially
> did not query at all until we realized we needed to install passwd.
> This is an X2Go print server (hopefully many desktops to come
> immediately after!) so we have installed:
>
> apt-get install locales less joe cups-x2go openssh-client cups
> foomatic-db-gutenprint gutenprint-locales openprinting-ppds
> cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl
> libnss-ldap libpam-ldap nscd libpam-cracklib passwd
>
> Here is how we set up pam and nscd:
>
> edit /etc/pam.d/common-account to read:
> account     required      pam_unix.so
> account     sufficient    pam_succeed_if.so uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> edit /etc/pam.d/common-session so  it reads:
> session     required      pam_limits.so
> session     required      pam_unix.so
> session     optional      pam_ldap.so
>
> edit /etc/pam.d/common-password so it reads:
> password   sufficient   pam_ldap.so
> password   required   pam_unix.so nullok obscure md5
> password    required      pam_deny.so
>
> edit /etc/pam.d/common-auth so it reads:
> auth    sufficient      pam_unix.so nullok_secure
> auth    requisite       pam_succeed_if.so uid >= 1000 quiet
> auth    sufficient      pam_ldap.so use_first_pass
> auth    required        pam_deny.so
>
> Edit /etc/nscd.conf to change the group positive cache limit
> (positive-time-to-live) to 600 seconds from the default 3600.
>
> We've restarted the vserver several times to be sure.  Even something as
> simple is id <some user> fails and we see the empty DN.  If we download
> ldap-utils and do an ldapsearch, queries succeed using the parameters
> given above in pam_ldap.conf.  An almost identical setup works in both
> CentOS 5.0.4 and Ubuntu Hardy.  What is different with Debian and what
> did we do wrong? Any help would be greatly appreciated as I've lost days
> tracking this down with no answer.  Thanks - John
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>

References:
- PAM LDAP queries attempt to bind with empty binddn
  - From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>

Prev by Date: Re: PAM LDAP queries attempt to bind with empty binddn
Next by Date: Re: init.d boot scripts management
Previous by thread: Re: PAM LDAP queries attempt to bind with empty binddn
Next by thread: Re: PAM LDAP queries attempt to bind with empty binddn
Index(es):
- Date
- Thread