Support Home Communities Home   Search Today's Posts Mark Forums Read
Notices


 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #2  
Old 03-Nov-2009, 03:58 PM
ab@novell.com's Avatar
Novell
  
Join Date: Aug 2007
Location: USA
Posts: 3,474
ab@novell.com 30-39 reputation pointsab@novell.com 30-39 reputation pointsab@novell.com 30-39 reputation pointsab@novell.com 30-39 reputation points
Default Re: Having problems authenticating LDAP against eDirectory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you sure the user in eDirectory that you are using to bind
(cn=LDAP,ou=thing....) actually has rights to read this attribute for this
user? Try doing the ldapsearch that you did (presumably with an
administrative user) with that cn=LDAP user to see if you get the same
stuff back.

Good luck.





joelkillspeople wrote:
> Hey all. I am having a bit of trouble authenticating LDAP users against
> eDir, and I'm not sure where the hangup is. On one box, I am running
> Ubuntu with openLDAP, on the other is an existing installation of
> eDirectory.
>
> The issue I am having is user authentication, and retrieving the
> homeDirectory for the ubuntu computer. I am, however, able to properly
> search against the eDirectory server. The one problem is: I am running
> this installation process from afar, and have no access to the
> edirectory server, so I cannot tell if this is on the user's eDirectory
> side, or my own.
>
> Let me run down what I have in my ldap.conf, the debug information I am
> receiving from LDAP, and the errors I am experiencing.
>
> I am attempting to retrieve user login information via a proxy user as
> detailed here: 'Cool Solutions: Configure Linux to Authenticate to
> eDirectory via LDAP'
> (http://www.novell.com/coolsolutions/feature/1630.html)
>
> The locations have been changed for privacy.
>
> First, the parts that matter in my /etc/ldap.conf
>
> Code:
> --------------------
>
> host 192.168.1.1
> base o=place
> uri ldap://192.168.1.1
> ldap_version 3
> binddn cn=LDAP,ou=thing,ou=stuff,o=place
>
> --------------------
>
>
> Next, the returns of an ldap serach for the user I am trying to log on
> as:
>
> Code:
> --------------------
>
> dn: cn=Student,ou=MISC,ou=otherou,o=place
> loginShell: /bin/bash
> homeDirectory: /home/student
> gidNumber: 10000
> uidNumber: 10001
> uid: Student
> givenName: student
> sn: test
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: ndsLoginProperties
> objectClass: top
> objectClass: posixAccount
> description: test user
> cn: Student
>
> --------------------
>
>
> Notice how the above reflects a proper home directory. Here's a result
> of a finger on the account, PLUS the debug information pertaining to
> LDAP retrieved from the request:
>
> Code:
> --------------------
>
> 0000: 30 27 02 01 01 60 22 02 01 03 04 1b 63 6e 3d 4c 0'...`".....cn=L
> 0010: 44 41 50 2c 6f 75 3d 54 43 48 2c 6f 75 3d 5a 48 DAP,ou=thing,ou=stu
> 0020: 53 2c 6f 3d 5a 50 53 80 00 ff,o=place..
> ldap_write: want=41, written=41
> 0000: 30 27 02 01 01 60 22 02 01 03 04 1b 63 6e 3d 4c 0'...`".....cn=L
> 0010: 44 41 50 2c 6f 75 3d 54 43 48 2c 6f 75 3d 5a 48 DAP,ou=thing,ou=stu
> 0020: 53 2c 6f 3d 5a 50 53 80 00 ff,o=place..
> ldap_read: want=8, got=8
> 0000: 30 0c 02 01 01 61 07 0a 0....a..
> ldap_read: want=6, got=6
> 0000: 01 00 04 00 04 00 ......
>
>
> ldap_read: want=274, got=274
> 0000: 82 01 0f 04 1f 63 6e 3d 53 74 75 64 65 6e 74 2c .....cn=Student,
> 0010: 6f 75 3d 4d 49 53 43 2c 6f 75 3d 53 54 55 2c 6f ou=MISC,ou=thing,o
> 0020: 3d 5a 50 53 30 81 eb 30 19 04 0a 6c 6f 67 69 6e =place0..0...login
> 0030: 53 68 65 6c 6c 31 0b 04 09 2f 62 69 6e 2f 62 61 Shell1.../bin/ba
> 0040: 73 68 30 14 04 09 67 69 64 4e 75 6d 62 65 72 31 sh0...gidNumber1
> 0050: 07 04 05 31 30 30 30 30 30 14 04 09 75 69 64 4e ...100000...uidN
> 0060: 75 6d 62 65 72 31 07 04 05 31 30 30 30 31 30 10 umber1...100010.
> 0070: 04 03 75 69 64 31 09 04 07 53 74 75 64 65 6e 74 ..uid1...Student
> 0080: 30 63 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 0c..objectClass1
> 0090: 54 04 0d 69 6e 65 74 4f 72 67 50 65 72 73 6f 6e T..inetOrgPerson
> 00a0: 04 14 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 61 6c ..organizational
> 00b0: 50 65 72 73 6f 6e 04 06 70 65 72 73 6f 6e 04 12 Person..person..
> 00c0: 6e 64 73 4c 6f 67 69 6e 50 72 6f 70 65 72 74 69 ndsLoginProperti
> 00d0: 65 73 04 03 74 6f 70 04 0c 70 6f 73 69 78 41 63 es..top..posixAc
> 00e0: 63 6f 75 6e 74 30 1a 04 0b 64 65 73 63 72 69 70 count0...descrip
> 00f0: 74 69 6f 6e 31 0b 04 09 74 65 73 74 20 75 73 65 tion1...test use
> 0100: 72 30 0f 04 02 63 6e 31 09 04 07 53 74 75 64 65 r0...cn1...Stude
> 0110: 6e 74 nt
>
>
> Login: Student Name: Student
> Directory: Shell: /bin/bash
> Never logged in.
> No mail.
> No Plan.
>
> --------------------
>
>
> Notice above how there is no entry under "Directory:" even though the
> user's homeDirectory is clearly listed under the ldapsearch.
>
> Next, I will attempt to log in as the user from a root account, and
> provide the error and auth.log failure:
>
> Code:
> --------------------
>
> root@server:/# su - Student
> su: Permission denied
>
> --------------------
>
>
> from /var/log/auth.log
>
>
> Code:
> --------------------
>
> Nov 3 16:34:55 server su[25955]: pam_unix(su:session): session opened for user Student by ltsp(uid=0)
> Nov 3 16:34:55 server su[25955]: pam_mkhomedir(su:session): unable to create directory : No such file or directory
> Nov 3 16:34:55 server su[25955]: pam_open_session: Permission denied
>
> --------------------
>
>
> The reason it's not logging in is not due to the fact that a home
> directory could not be created because I am using the following in
> /etc/pam.d/common-session:
>
>
> Code:
> --------------------
>
> session required pam_mkhomedir.so umask=0007 skel=/etc/skel/
>
> --------------------
>
>
> I am also unable to log in directly as the Student user. Here is the
> auth.log after an attempt to log in as the user directly instead of as
> root:
>
> Code:
> --------------------
>
> Nov 3 16:42:29 ltsp1 su[26336]: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=pts/0 ruser=ltsp rhost= user=Student
> Nov 3 16:42:32 ltsp1 su[26336]: pam_ldap: error trying to bind as user "cn=Student,ou=MISC,ou=STU,o=ZPS" (Invalid credentials)
> Nov 3 16:42:33 ltsp1 su[26336]: pam_authenticate: Authentication failure
> Nov 3 16:42:33 ltsp1 su[26336]: FAILED su for Student by user
> Nov 3 16:42:33 ltsp1 su[26336]: - pts/0 ltsp:Student
>
> --------------------
>
>
> I would dearly appreciate any help that I could get, because from my
> end, my options appear to be exhausted.
>
> Thanks in advance.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJK8KegAAoJEF+XTK08PnB55K0QAJgh2zE2Dh xEnwVNP/3UyTYj
18cSea7yZtJpqGuKJULMXLFM80D3t/BiYpa+V7jGv0mWy+dXgdaClG3gplWxEZiy
HU7dDOUjZOrtQBeV9kp2rh77jTaFB2RwHbXAxDPsV1ieMKtjq9 sc+/bVYOuq6J2S
Ew+roEj+H5bAQmS7gXriYJL1t5MImRHoSA99BBil35qld6rxkX Ao+3lq9kkZLFB2
vGlo+D5AWz/FRsM0o797VEdkjW2eG+2U6EGexVXg/H7xoCR1/FNDGZSlFftN26j0
ZopfjqUJA8LIFLw4gz0ULI3kWM6dmbQtdveVsWDdTgy2/d+3S/BX8r+98+qhsmUk
ohLLR4IICcUS8G1TJmnFbuqhfiTVH7PYXflwEM1D9FpMAnCHs/d2blmDlvPIc2El
cA+/odOFvI5uzZnCDjwu97am4uPSQUMhYZWwfKTYC6lIAf4BOpZ47d MuOWIZulk9
OXezWbFyJYoruQ3eI2WPBG1RiOpXP7iGjaXqx/sNSs8oTi7ZDGnqUkSj3vO3VwGo
N/dfUEUVozii+Gr4jTcwWDlUX2ZaLtOYirJbqyA+3cY8GjqOpOH+ xLutW//QJsOx
vLzOvtTRUayQ49oBALHNRb97fb3Ky0/6hnkRzXquaP4mKNPMfcpR3py7vBiwLoyw
Zw3mROhnyUK0HdHxEVPF
=issX
-----END PGP SIGNATURE-----
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 01:23 PM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.0 RC2