Re: PAM LDAP queries attempt to bind with empty binddn

To: Predrag Gavrilovic <gavrilovic@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: PAM LDAP queries attempt to bind with empty binddn
From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
Date: Wed, 10 Feb 2010 16:11:39 -0500
Message-id: <[🔎] 1265836299.3508.12.camel@localhost>
In-reply-to: <[🔎] 690842eb1002101230m2c4c9878q6cfe4af10ddc1a03@mail.gmail.com>
References: <[🔎] 1265818025.3738.19.camel@localhost> <[🔎] 690842eb1002101230m2c4c9878q6cfe4af10ddc1a03@mail.gmail.com>

On Wed, 2010-02-10 at 21:30 +0100, Predrag Gavrilovic wrote:
> I believe you shold set "rootbinddn" and "rootpw" in pam_ldap.conf.
> That's what's used when lookup is done by process with effective user
> id is 0.

Hmm . . . we intentionally don't want to do that and Ubuntu works
without it.  We activated it anyway and restarted the vserver to test
but received the same results:

[10/Feb/2010:16:02:17 -0500] conn=64962 fd=65 slot=65 connection from 172.29.1.253 to 172.30.10.49
[10/Feb/2010:16:02:17 -0500] conn=64962 op=0 BIND dn="" method=128 version=3
[10/Feb/2010:16:02:17 -0500] conn=64962 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[10/Feb/2010:16:02:17 -0500] conn=64962 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixAccount)(uid=messagebus))" attrs=ALL
[10/Feb/2010:16:02:17 -0500] conn=64962 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[10/Feb/2010:16:02:17 -0500] conn=64962 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(memberUid=messagebus))" attrs="gidNumber"
[10/Feb/2010:16:02:17 -0500] conn=64962 op=2 RESULT err=0 tag=101 nentries=0 etime=0 notes=U

> 
> 
> On Wed, Feb 10, 2010 at 5:07 PM, John A. Sullivan III
> <jsullivan@opensourcedevel.com> wrote:
> > Hello, all.  We have just started to explore Debian Lenny as a platform
> > and have been delightfully impressed however we're hitting a problem
> > using LDAP authentication that we have not experienced in RedHat or
> > Ubuntu.  We do not allow anonymous LDAP queries but rather
> > configure /etc/pam_ldap.conf with a binddn and bindpw.
> >
> > Our LDAP queries are failing and, when we look at the access logs on our
> > CentOS Directory Server 8.1, we see the binddn is empty:
<snip>
> > We could very likely have a missing package.  This is a vserver and they
> > install a very skeleton base system.  For example, the system initially
> > did not query at all until we realized we needed to install passwd.
> > This is an X2Go print server (hopefully many desktops to come
> > immediately after!) so we have installed:
> >
> > apt-get install locales less joe cups-x2go openssh-client cups
> > foomatic-db-gutenprint gutenprint-locales openprinting-ppds
> > cups-driver-gutenprint cups-pdf foomatic-db foomatic-filters openssl
> > libnss-ldap libpam-ldap nscd libpam-cracklib passwd
> >
<snip>
I'm wondering if there is a missing service rather than a missing file.
What service or daemon would fill in that information.  We aggressively
strip out unnecessary services from our vservers, especially any having
to do with the hardware.  This is from our internal documentation:

Clean up the rc directories:
cd /etc
rm rc*.d/*kdm
rm rc*.d/*dirmngr
rm rc*.d/*fancontrol
rm rc*.d/*lisa
rm rc*.d/*rsync
rm rc*.d/*saned
rm rc*.d/*avahi-daemon
rm rc*.d/*portmap
rm rc*.d/*hpoj
rm rc*.d/*lpd
rm rc*.d/*libchipcard-tools
rm rc*.d/*stop-bootlogd
rm rc*.d/*winbind
rm rc*.d/*hwclock.sh
rm rc*.d/*mountoverflowtmp
rm rc*.d/*urandom
rm rc*.d/*umountnfs.sh
rm rc*.d/*networking
rm rc*.d/*ifupdown
rm rc*.d/*umountfs
rm rc*.d/*umountroot
rm rc*.d/*binfmt-support
cd rcS.d
rm *udev
rm *hdparm
rm *pppd-dns
rm *lm-sensors
rm S05bootlogd
rm S01glibc.sh
rm S02hostname.sh
rm S02mountkernfs.sh
rm S04mountdevsubfs.sh
rm S08hwclockfirst.sh
rm S10checkroot.sh
rm S11hwclock.sh
rm S12mtab.sh
rm S18ifupdown-clean
rm S20module-init-tools
rm S30checkfs.sh
rm S30procps
rm S35mountall.sh
rm S36mountall-bootclean.sh
rm S36udev-mtab
rm S37mountoverflowtmp
rm S39ifupdown
rm S40networking
rm S45mountnfs.sh
rm S46mountnfs-bootclean.sh
rm S55bootmisc.sh
rm S55urandom
rm S99stop-bootlogd-single

> > We've restarted the vserver several times to be sure.  Even something as
> > simple is id <some user> fails and we see the empty DN.  If we download
> > ldap-utils and do an ldapsearch, queries succeed using the parameters
> > given above in pam_ldap.conf.  An almost identical setup works in both
> > CentOS 5.0.4 and Ubuntu Hardy.  What is different with Debian and what
> > did we do wrong? Any help would be greatly appreciated as I've lost days
> > tracking this down with no answer.  Thanks - John
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
> >
> 
>

Reply to:

References:
- PAM LDAP queries attempt to bind with empty binddn
  - From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: Predrag Gavrilovic <gavrilovic@gmail.com>

Prev by Date: Re: local install with apt-get still producing caches in /var/lib/dpkg/{info,alternatives,info, ...}
Next by Date: Re: local install with apt-get still producing caches in /var/lib/dpkg/{info,alternatives,info, ...}
Previous by thread: Re: PAM LDAP queries attempt to bind with empty binddn
Next by thread: debian embebed
Index(es):
- Date
- Thread