Hey all. I am having a bit of trouble authenticating LDAP users against eDir, and I'm not sure where the hangup is. On one box, I am running Ubuntu with openLDAP, on the other is an existing installation of eDirectory.
The issue I am having is user authentication, and retrieving the homeDirectory for the ubuntu computer. I am, however, able to properly search against the eDirectory server. The one problem is: I am running this installation process from afar, and have no access to the edirectory server, so I cannot tell if this is on the user's eDirectory side, or my own.
Let me run down what I have in my ldap.conf, the debug information I am receiving from LDAP, and the errors I am experiencing.
I am attempting to retrieve user login information via a proxy user as detailed here:
Cool Solutions: Configure Linux to Authenticate to eDirectory via LDAP
The locations have been changed for privacy.
First, the parts that matter in my /etc/ldap.conf
|
Code:
|
host 192.168.1.1
base o=place
uri ldap://192.168.1.1
ldap_version 3
binddn cn=LDAP,ou=thing,ou=stuff,o=place |
Next, the returns of an ldap serach for the user I am trying to log on as:
|
Code:
|
dn: cn=Student,ou=MISC,ou=otherou,o=place
loginShell: /bin/bash
homeDirectory: /home/student
gidNumber: 10000
uidNumber: 10001
uid: Student
givenName: student
sn: test
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: ndsLoginProperties
objectClass: top
objectClass: posixAccount
description: test user
cn: Student |
Notice how the above reflects a proper home directory. Here's a result of a finger on the account, PLUS the debug information pertaining to LDAP retrieved from the request:
|
Code:
|
0000: 30 27 02 01 01 60 22 02 01 03 04 1b 63 6e 3d 4c 0'...`".....cn=L
0010: 44 41 50 2c 6f 75 3d 54 43 48 2c 6f 75 3d 5a 48 DAP,ou=thing,ou=stu
0020: 53 2c 6f 3d 5a 50 53 80 00 ff,o=place..
ldap_write: want=41, written=41
0000: 30 27 02 01 01 60 22 02 01 03 04 1b 63 6e 3d 4c 0'...`".....cn=L
0010: 44 41 50 2c 6f 75 3d 54 43 48 2c 6f 75 3d 5a 48 DAP,ou=thing,ou=stu
0020: 53 2c 6f 3d 5a 50 53 80 00 ff,o=place..
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ldap_read: want=274, got=274
0000: 82 01 0f 04 1f 63 6e 3d 53 74 75 64 65 6e 74 2c .....cn=Student,
0010: 6f 75 3d 4d 49 53 43 2c 6f 75 3d 53 54 55 2c 6f ou=MISC,ou=thing,o
0020: 3d 5a 50 53 30 81 eb 30 19 04 0a 6c 6f 67 69 6e =place0..0...login
0030: 53 68 65 6c 6c 31 0b 04 09 2f 62 69 6e 2f 62 61 Shell1.../bin/ba
0040: 73 68 30 14 04 09 67 69 64 4e 75 6d 62 65 72 31 sh0...gidNumber1
0050: 07 04 05 31 30 30 30 30 30 14 04 09 75 69 64 4e ...100000...uidN
0060: 75 6d 62 65 72 31 07 04 05 31 30 30 30 31 30 10 umber1...100010.
0070: 04 03 75 69 64 31 09 04 07 53 74 75 64 65 6e 74 ..uid1...Student
0080: 30 63 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 0c..objectClass1
0090: 54 04 0d 69 6e 65 74 4f 72 67 50 65 72 73 6f 6e T..inetOrgPerson
00a0: 04 14 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 61 6c ..organizational
00b0: 50 65 72 73 6f 6e 04 06 70 65 72 73 6f 6e 04 12 Person..person..
00c0: 6e 64 73 4c 6f 67 69 6e 50 72 6f 70 65 72 74 69 ndsLoginProperti
00d0: 65 73 04 03 74 6f 70 04 0c 70 6f 73 69 78 41 63 es..top..posixAc
00e0: 63 6f 75 6e 74 30 1a 04 0b 64 65 73 63 72 69 70 count0...descrip
00f0: 74 69 6f 6e 31 0b 04 09 74 65 73 74 20 75 73 65 tion1...test use
0100: 72 30 0f 04 02 63 6e 31 09 04 07 53 74 75 64 65 r0...cn1...Stude
0110: 6e 74 nt
Login: Student Name: Student
Directory: Shell: /bin/bash
Never logged in.
No mail.
No Plan. |
Notice above how there is no entry under "Directory:" even though the user's homeDirectory is clearly listed under the ldapsearch.
Next, I will attempt to log in as the user from a root account, and provide the error and auth.log failure:
|
Code:
|
root@server:/# su - Student
su: Permission denied |
from /var/log/auth.log
|
Code:
|
Nov 3 16:34:55 server su[25955]: pam_unix(su:session): session opened for user Student by ltsp(uid=0)
Nov 3 16:34:55 server su[25955]: pam_mkhomedir(su:session): unable to create directory : No such file or directory
Nov 3 16:34:55 server su[25955]: pam_open_session: Permission denied |
The reason it's not logging in is not due to the fact that a home directory could not be created because I am using the following in /etc/pam.d/common-session:
|
Code:
|
session required pam_mkhomedir.so umask=0007 skel=/etc/skel/ |
I am also unable to log in directly as the Student user. Here is the auth.log after an attempt to log in as the user directly instead of as root:
|
Code:
|
Nov 3 16:42:29 ltsp1 su[26336]: pam_unix(su:auth): authentication failure; logname=user uid=1001 euid=0 tty=pts/0 ruser=ltsp rhost= user=Student
Nov 3 16:42:32 ltsp1 su[26336]: pam_ldap: error trying to bind as user "cn=Student,ou=MISC,ou=STU,o=ZPS" (Invalid credentials)
Nov 3 16:42:33 ltsp1 su[26336]: pam_authenticate: Authentication failure
Nov 3 16:42:33 ltsp1 su[26336]: FAILED su for Student by user
Nov 3 16:42:33 ltsp1 su[26336]: - pts/0 ltsp:Student |
I would dearly appreciate any help that I could get, because from my end, my options appear to be exhausted.
Thanks in advance.
Having problems authenticating LDAP against eDirectory
Threaded Mode
