Join Log in
Score:2
avatar Server

libpam-ldapd - LDAP authentication on Debian 11 not working

ke flag
SecurityWho

I saw several other questions here regarding a similar issue - but I haven't found something that actually worked for me.

My goal is to authenticate (mainly for SSH) all Debian maschines against an UCS (OpenLDAP) directory - in the future only when the user is member of an specific ldap group. But I'm currently struggeling to make it even work without an groupmembership.

I always get the error:

nslcd: [7b23c6] <authc="test"> DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_unbind()
nslcd: [7b23c6] <authc="test"> uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [7b23c6] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [7b23c6] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local

The bind user is working, I did check everything with an ldapsearch command - there everything is working fine with the bind user and if I use an wrong password the debug shows an error that the bind function is not working.

Ldapsearch used - and it is working:

ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=srv_linux,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -W

Snip from the output:

# test, users, securitywho.local
dn: uid=test,cn=users,dc=securitywho,dc=local
krb5MaxLife: 86400
krb5MaxRenew: 604800
uid: test
uidNumber: 2008
sn: test
gecos: test
displayName: test
homeDirectory: /home/test
loginShell: /bin/bash
mailForwardCopyToSelf: 0
cn: test
krb5PrincipalName: [email protected]
shadowLastChange: 18992
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaAcctFlags: [U          ]
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
objectClass: automount
objectClass: univentionPWHistory
objectClass: person
objectClass: krb5KDCEntry
objectClass: univentionObject
objectClass: inetOrgPerson
objectClass: krb5Principal
objectClass: organizationalPerson
objectClass: univentionMail
objectClass: posixAccount
sambaSID: S-1-5-21-258973841-725078507-1497259816-5016
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-258973841-725078507-1497259816-513
univentionObjectType: users/user

Just to verify that my testuser is working I ran the ldapsearch command with the testuser - everything worked here as well. I checked that with several accounts in the OpenLDAP directory, all worked here but none when I tried it for SSH.

ldapsearch -x -H ldap://ldap.securitywho.local -D "uid=test,cn=users,dc=securitywho,dc=local" -b cn=users,dc=securitywho,dc=local -W

Config /etc/nslcd.conf

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://ldap.securitywho.local

# The search base that will be used for all queries.
base cn=users,dc=securitywho,dc=local

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
bindpw <SUPERSECUREPASSWORD>

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub
filter passwd (objectClass=*)
map    passwd uid              uid

filter shadow (objectClass=*)
map    shadow uid              uid

Complete Debug Output of nslcd:

root@ipam:~# nslcd -d
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.11
nslcd: DEBUG: CFG: threads 5
nslcd: DEBUG: CFG: uid nslcd
nslcd: DEBUG: CFG: gid 117
nslcd: DEBUG: CFG: uri ldap://ldap.securitywho.local
nslcd: DEBUG: CFG: ldap_version 3
nslcd: DEBUG: CFG: binddn uid=srv_linux,cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: bindpw ***
nslcd: DEBUG: CFG: base cn=users,dc=securitywho,dc=local
nslcd: DEBUG: CFG: scope sub
nslcd: DEBUG: CFG: deref never
nslcd: DEBUG: CFG: referrals yes
nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias)
nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device)
nslcd: DEBUG: CFG: filter group (objectClass=posixGroup)
nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost)
nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup)
nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork)
nslcd: DEBUG: CFG: filter passwd (objectClass=*)
nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol)
nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc)
nslcd: DEBUG: CFG: filter services (objectClass=ipService)
nslcd: DEBUG: CFG: filter shadow (objectClass=*)
nslcd: DEBUG: CFG: map group userPassword "*"
nslcd: DEBUG: CFG: map passwd userPassword "*"
nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}"
nslcd: DEBUG: CFG: map shadow userPassword "*"
nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}"
nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}"
nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}"
nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}"
nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}"
nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}"
nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}"
nslcd: DEBUG: CFG: pam_authc_ppolicy yes
nslcd: DEBUG: CFG: bind_timelimit 10
nslcd: DEBUG: CFG: timelimit 0
nslcd: DEBUG: CFG: idle_timelimit 0
nslcd: DEBUG: CFG: reconnect_sleeptime 1
nslcd: DEBUG: CFG: reconnect_retrytime 10
nslcd: DEBUG: CFG: ssl off
nslcd: DEBUG: CFG: tls_reqcert demand
nslcd: DEBUG: CFG: pagesize 0
nslcd: DEBUG: CFG: nss_min_uid 0
nslcd: DEBUG: CFG: nss_uid_offset 0
nslcd: DEBUG: CFG: nss_gid_offset 0
nslcd: DEBUG: CFG: nss_nested_groups no
nslcd: DEBUG: CFG: nss_getgrent_skipmembers no
nslcd: DEBUG: CFG: nss_disable_enumeration no
nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i
nslcd: DEBUG: CFG: ignorecase no
nslcd: DEBUG: CFG: pam_authc_search BASE
nslcd: DEBUG: CFG: cache dn2uid 15m 15m
nslcd: version 0.9.11 starting
nslcd: DEBUG: initgroups("nslcd",117) done
nslcd: DEBUG: setgid(117) done
nslcd: DEBUG: setuid(110) done
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from  pid=896662 uid=0 gid=0
nslcd: [8b4567] <authc="test"> DEBUG: nslcd_pam_authc("test","sshd","***")
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_simple_bind_s("uid=srv_linux,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="uid=test,cn=users,dc=securitywho,dc=local", filter="(objectClass=*)")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_initialize(ldap://ldap.securitywho.local)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_sasl_bind("uid=test,cn=users,dc=securitywho,dc=local","***") (uri="ldap://ldap.securitywho.local") (ppolicy=yes)
nslcd: [8b4567] <authc="test"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: failed to bind to LDAP server ldap://ldap.securitywho.local: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="test"> uid=test,cn=users,dc=securitywho,dc=local: Invalid credentials
nslcd: [8b4567] <authc="test"> DEBUG: myldap_search(base="cn=users,dc=securitywho,dc=local", filter="(&(objectClass=*)(uid=test))")
nslcd: [8b4567] <authc="test"> DEBUG: ldap_result(): uid=test,cn=users,dc=securitywho,dc=local

What I tried is to play around with the "search scope" in the /etc/nslcd.conf but no combination made it work. What I currently don't see any configuration issue - does someone had the same issue or could help me out? I installed everything with:

apt-get install libpam-ldapd
463
0 + 0
Score:1
avatar Server
ke flag
SecurityWho

After several more hours, wireshark debugs showed that BIND-Request for the BIND-User was correctly send to the ldapserver (BIND with simple auth --> no encryption). But my test-user had not the real password send to the ldap server, that means the authentication had to be not successfull. --> Tests done with SSH.

I tried to login to the local console and saw, that the login was now successfull regarding the nslcd debug - but /var/log/auth.log showed :

Jan  1 14:01:43 ipam login[489]: pam_unix(login:auth): check pass; user unknown
Jan  1 14:01:43 ipam login[489]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Jan  1 14:01:43 ipam login[489]: pam_unix(login:account): could not identify user (from getpwnam(test))
Jan  1 14:01:43 ipam login[489]: Authentication failure

But now everything is working just fine - how I fixed it? --> Reboot.

No more configuration changes had to be done, my configuration in the inital post was correct and is working fine now.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.