Client Authentication “Invalid credentials” LDAP

Question

I've installed LDAP Client Authentication with this manual, but in my /var/log/auth.log file I get this error:

Sep  5 14:08:59 workstation01 nscd: nss_ldap: failed to bind to LDAP server ldap://c-hack00:389: Invalid credentials
Sep  5 14:08:59 workstation01 nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Sep  5 14:09:00 workstation01 nscd: nss_ldap: failed to bind to LDAP server ldap://c-hack00:389: Invalid credentials
Sep  5 14:09:00 workstation01 nscd: nss_ldap: could not search LDAP server - Server is unavailable

My /etc/ldap.conf:

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host c-hack00

# The distinguished name of the search base.
base dc=c-hack,dc=de

# Another way to specify your LDAP server is to provide an
uri ldap://c-hack00:389
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=proxyuser,dc=c-hack,dc=de
#"proxuser" is an existing LDAP user I've created

# The credentials to bind with.
# Optional: default is no credential.
bindpw mypasswort

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=manager,dc=SPG

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub

I think the client is able to connect to the server, but something with the credentials is wrong... How can I fix this?

See my answer... "Ok,connecting to the server works, no errors in /var/log/auth.log file" There are no errors but logging in doesn't work. — MrFizzzel, Sep 09 '14 at 18:15

score 1 · Accepted Answer · answered Sep 05 '14 at 23:13

1

Just to be clear - the bindpw matches the password of the proxyuser account? If you run the following (entering the bindpw when prompted), do you get an error?

ldapsearch -x -W -D "cn=proxyuser,dc=c-hack,dc=de" -b "dc=c-hack, dc=de" objectclass=*

answered Sep 05 '14 at 23:13

Andy

1,111
1
7
10

Thanks! I did ldapsearch with all the LDAP users and I found out, that I confounded the cn and the uid of the users... :) – MrFizzzel Sep 07 '14 at 07:32

score 0 · Answer 2 · answered Sep 08 '14 at 15:41

0

Ok,connecting to the server works, no errors in /var/log/auth.log file and when do a "sudo" command I get two password questions (one local and one for LDAP) but the LDAP users are still not in the "getent passwd" list...

answered Sep 08 '14 at 15:41

MrFizzzel

13
1
1
3

I suggest you drop nss_ldap, pam_ldap and nscd and instead use sssd, which is much more modern, supported and easier to use. – ptman Sep 08 '14 at 16:02

Client Authentication “Invalid credentials” LDAP

2 Answers2