0

I'm testing the pam_ldap implementation with a C++ application. I configured ldap and pam_ldap to authenticate against a OpenLDAP server running in the same host. Created a user for testing, ldapwhoami works:

ldapwhoami -vvv -D cn=carlosp,cn=users-group,ou=users,dc=example,dc=org -x -w xxxx returns

ldap_initialize( <DEFAULT> )
dn:cn=carlosp,cn=users-group,ou=users,dc=example,dc=org
Result: Success (0)

But my application fails to authenticate the same user with

retval = pam_start("testpam", user, &conv, &pamh);
retval = pam_authenticate(pamh, 0);

Relevant messages from

slcd: [8b4567] <authc="carlosp"> DEBUG: nslcd_pam_authc("carlosp","testpam","***")
nslcd: [8b4567] <authc="carlosp"> DEBUG: myldap_search(base="dc=example,dc=org", filter="(&(objectClass=posixAccount)(uid=carlosp))")
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="carlosp"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://127.0.0.1/")
nslcd: [8b4567] <authc="carlosp"> ldap_result() failed: No such object
nslcd: [8b4567] <authc="carlosp"> DEBUG: "carlosp": user not found: No such object

My config files:

cat /etc/pam.d/testpam

auth       required     /usr/lib/x86_64-linux-gnu/security/pam_ldap.so debug
account    required     /usr/lib/x86_64-linux-gnu/security/pam_ldap.so debug
password   required     /usr/lib/x86_64-linux-gnu/security/pam_ldap.so debug
session    required     /usr/lib/x86_64-linux-gnu/security/pam_ldap.so debug

cat /etc/pam_ldap.conf

host 127.0.0.1
base dc=example,dc=org
uri ldap://127.0.0.1/
ldap_version 3
rootbinddn cn=admin,dc=example,dc=org
pam_login_attribute dn
pam_password clear

cat /etc/nslcd.conf

id nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://127.0.0.1/

# The search base that will be used for all queries.
base dc=example,dc=org

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
#binddn cn=annonymous,dc=example,dc=net
#bindpw secret

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

/etc/nsswitch.conf

passwd:         files systemd ldap
group:          files systemd ldap
shadow:         files ldap
gshadow:        files ldap

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Does anyone know why ldapwhoami woks but pam_authenticate fails?

third_eye
  • 101

1 Answers1

0

in the output of ldapwhoami you see dn:cn=carlosp,cn=users-group,ou=users,dc=example,dc=org but in the log you show I see nslcd: [8b4567] <authc="carlosp"> DEBUG: myldap_search(base="dc=example,dc=org", filter="(&(objectClass=posixAccount)(uid=carlosp))") so the the filter is 'uid', not 'cn'

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27