I understand that the ldapsearch –b ="ou=people,o=test,o=suffix" –D <…> -w <…> -x –s sub ="(&(objectClass=<xyz>)(uid=testuser))" , using the credentials specified in ldap.conf, does return the object. This said, the aci seems to be correct.
On 05/24/2013 03:55 PM, Shriram M wrote:
Sorry for the typo error. It’s not sssd it is sshd.
I am using nscd daemon. I tried to debug the nss_ldap by placing log level in /etc/ldap.conf file. I observed that ldap server connection is getting established and accepting the request from nss_ldap[which requests the user info by placing the uid]. But ldap is neither responding with the error message nor successful message.
[22/May/2013:13:38:13 +0000] conn=44 op=18 SRCH base="ou=people,o=test,o=suffix" scope=2 filter="(&(objectClass=<xyz>)(uid=testuser))" attrs="uid uidNumber gidNumber "
[22/May/2013:13:38:13 +0000] conn=44 op=18 RESULT err=0 tag=101 nentries=0 etime=0
Could you confirm that searched entry has "objectclass: <xyz>" ?
Having disabled anonymous-access, the above session was authenticated. If there is an entry that matches the filter but that is not returned, I guess it is an issue with the aci definition that prevents the bound user to lookup the entry (or read the filter attributes).
From the above ldap search operation nentries is zero. But the user is present in the ldap the same was verified by executing ldapsearch command.
Steps to replicate this behavior
1. disable(off) access nsslapd-anonymous-access
2. modify the aci(access control information) for the base dn by introducing a dn with password to bind with ldap.
3. provide the modified aci informations in /etc/ldap.cconf with appropriate binddn and bindpw.
4 . create a user in ldap so that ssh login should communicate to ldap via PAM.
5. configure appropriate configuration[/etc/pam.d] for PAM to authenticate the users.
Use NSCD or SSSD not both, while NSCD is a caching daemon and SSSD has a caching daemon they will conflict.
On May 22, 2013, at 4:18 AM, Shriram M <email@example.com> wrote:
I am trying LDAP authentication for users logged in CentOS by PAM. Also I have disabled(off) nsslapd-anonymous-access flag to restrict anonymous access by providing the binddn and bindpw.
I have changed binddn and bindpw in /etc/ldap.conf for PAM to bind with LDAP to authenticate user.
ie) When a user is trying to ssh pam will be communicated to bind with LDAP by reading /etc/ldap.conf to bind with LDAP to authenticate the corresponding user.
User authentication is not working every time. ie)some time the user is authenticated and sometimes the user is not authenticated.
i have verified the tools 389 FDS, nscd ,ssd, are properly running in CentOS.
I have tried by doing ldapsearch for the corresponding user. The result shows the user properly.
389 users mailing list
389 users mailing list