cannot connect to ldap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libnss-ldap (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libnss-ldap
I'm having problems getting an ubuntu 6.06.1 LTS host authenticate against against itself through ldap. That is this host is the ldap server (slapd-
Debian testing clients are able to authenticate just fine against the ldap server. Using the same client configuration files on the ubuntu server I cannot get it to authenticate against itself though through login or ssh.
I've tried this using TLS and without TLS so that shouldn't be the problem. The fact that other debian testing boxes can authenticate just fine leads me to point to an ubuntu issue. Since this is not specific to ssh (login fails too) and since the only relevant error messages are lib_nss this leads me to point the finger to libnss-ldap. Connection to itself is allowed and has been tested, no iptables rules defined. tcpdump does show communication on tcp ldaps during authentication. Using ldapsearch works just fine.
While searching for bugs I found certain bugs reported on edgy:
https:/
So I ported the patch referred to there to Dapper. At the end you will find the patch in case you find it useful. Anyway, that didn't do the trick.
--
root@dhcp1a:
Enter LDAP Password:
dn: cn=mcgrof,
dn: cn=mcyberey,
--
root@dhcp1a:
tcp 0 0 localhost:ldap *:* LISTEN 8298/slapd
tcp 0 0 *:ldaps *:* LISTEN 8298/slapd
tcp6 0 0 *:ldaps *:* LISTEN 8298/slapd
/var/log/auth.log reports:
pam_ldap: ldap_simple_bind Can't contact LDAP server
If you try again you get:
Dec 12 17:45:33 dhcp1a sshd[20330]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnecting to LDAP server...
Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
Dec 12 17:45:35 dhcp1a sshd[20326]: error: PAM: Authentication service cannot retrieve authentication info. for mcgrof from localhost
--
/etc/ldap/ldap.conf
BASE dc=winlab,
URI ldaps:/
TLS_CACERT /etc/ldap/
--
/etc/libnss-
host dhcp1a.
base dc=winlab,
uri ldaps:/
ldap_version 3
port 636
bind_policy soft
ssl on
tls_checkpeer no
--
/etc/nsswitch.conf
passwd: files ldap compat
group: files ldap compat
shadow: files ldap compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
automount: ldap
--
/etc/pam.
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so use_first_pass
--
/etc/pam.
account sufficient pam_ldap.so
account required pam_unix.so
account required pam_nologin.so
--
/etc/pam.
password sufficient pam_ldap.so use_authok
password sufficient pam_unix.so use_authtok nullok md5
--
/etc/pam.d/ssh
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account [success=done new_authtok_
account required pam_unix.so
account required pam_nologin.so
session required pam_unix.so
session required pam_limits.so
--
/etc/ssh/
Port 22
Protocol 2
HostKey /etc/ssh/
HostKey /etc/ssh/
UsePrivilegeSep
KeyRegeneration
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentic
IgnoreRhosts yes
RhostsRSAAuthen
HostbasedAuthen
PermitEmptyPass
PasswordAuthent
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/
UsePAM yes
--
/etc/default/slapd
SLAPD_CONF=
SLAPD_USER=
SLAPD_GROUP=
SLAPD_PIDFILE=
TRY_BDB_
SLURPD_START=auto
SLAPD_SERVICES=
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
--
Backported LaMont Jones' patch for initgroups to Dapper:
diff -ur t/libnss-
--- t/libnss-
+++ libnss-
@@ -1,3 +1,9 @@
+libnss-ldap (251-5.
+
+ * Backport 253 fix for initgroups. Closes: ubuntu#70146
+
+ -- LaMont Jones <email address hidden> Tue, 21 Nov 2006 07:50:16 -0700
+
libnss-ldap (251-5.2) unstable; urgency=high
* Non-maintainer upload.
diff -ur t/libnss-
--- t/libnss-
+++ libnss-
@@ -19,7 +19,7 @@
*/
static char rcsId[] =
- "$Id: ldap-grp.c,v 2.105 2006/03/22 13:18:56 lukeh Exp $";
+ "$Id: ldap-grp.c,v 2.106 2006/09/13 06:33:09 lukeh Exp $";
#include "config.h"
@@ -33,6 +33,7 @@
#include <pthread.h>
#endif
+#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
@@ -719,7 +720,18 @@
return NSS_TRYAGAIN;
}
}
- if (*(lia->start) == *(lia->size))
+
+ if (*(lia->size) == 0)
+ {
+ *(lia->groups) = (gid_t *) realloc(
+ LDAP_NSS_NGROUPS * sizeof (gid_t));
+ if (*(lia->groups) == NULL)
+ {
+ return NSS_TRYAGAIN;
+ }
+ *(lia->size) = LDAP_NSS_NGROUPS;
+ }
+ else if (*(lia->start) == *(lia->size))
{
/* Need a bigger buffer */
@@ -730,6 +742,10 @@
}
*(lia->size) *= 2;
}
+ else
+ {
+ assert(
+ }
/* weed out duplicates; is this really our responsibility? */
for (i = 0; i < *(lia->start); i++)
diff -ur t/libnss-
--- t/libnss-
+++ libnss-
@@ -18,11 +18,11 @@
write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
- $Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $
+ $Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $
*/
static char rcsId[] =
- "$Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $";
+ "$Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $";
#include "config.h"
@@ -791,7 +791,6 @@
static NSS_STATUS
_nss_ldap_innetgr (nss_backend_t * be, void *_args)
{
- NSS_STATUS stat = NSS_NOTFOUND;
struct nss_innetgr_args *args = (struct nss_innetgr_args *) _args;
int i;
@@ -806,28 +805,27 @@
args-
args-
- /* Presume these are harmonized -- this is a strange interface */
- assert (args->
- args->arg[
- assert (args->
- args->arg[
- assert (args->
- args->arg[
+ /* note: mountd on Solaris does set multiple 'groups' with one 'arg' for
+ * efficiency reasons */
+
+ assert (args->
+ assert (args->
+ assert (args->
_nss_ldap_enter ();
+ const char *machine = (args->
+ args->arg[
+ const char *user = (args->
+ args->arg[
+ const char *domain = (args->
+ args->arg[
+
for (i = 0; i < args->groups.argc; i++)
{
NSS_STATUS parseStat;
- const char *machine = (args->
- args->arg[
- const char *user = (args->
- args->arg[
- const char *domain = (args->
- args->arg[
-
@@ -846,15 +844,15 @@
if (args->status == NSS_NETGR_FOUND)
{
- stat = NSS_SUCCESS;
+ _nss_ldap_leave ();
+ debug ("<== _nss_ldap_innetgr (FOUND)");
+ return NSS_SUCCESS;
}
}
_nss_ldap_leave ();
-
- debug ("<== _nss_ldap_
-
- return stat;
+ debug ("<== _nss_ldap_innetgr (not found)");
+ return NSS_NOTFOUND;
}
/*
diff -ur t/libnss-
--- t/libnss-
+++ libnss-
@@ -96,9 +96,9 @@
* unacceptable, in which case you may wish to adjust
* the constants below.
*/
-#define LDAP_NSS_TRIES 5 /* number of sleeping reconnect attempts */
-#define LDAP_NSS_SLEEPTIME 4 /* seconds to sleep; doubled until max */
-#define LDAP_NSS_
+#define LDAP_NSS_TRIES 1 /* number of sleeping reconnect attempts */
+#define LDAP_NSS_SLEEPTIME 1 /* seconds to sleep; doubled until max */
+#define LDAP_NSS_
#define LDAP_NSS_
#if defined(
@@ -691,6 +691,9 @@
void _nss_ldap_
void _nss_ldap_
+void _nss_ldap_
+void _nss_ldap_
+
/*
* Acquire global nss_ldap lock and blocks SIGPIPE.
* Generally this should only be done within ldap-nss.c.
I believe now this bug needs to be re-assigned to libpam-ldap. Doing some digging there now. I have tested the same config files on a separate Ubuntu Dapper client. Now auth.log complains only through pam_ldap:
Dec 13 14:10:58 web1 sshd[10443]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Dec 13 14:11:00 web1 sshd[10443]: Failed password for mcgrof from 192.168.xxx.yyy port 44978 ssh2
This is repeated if I try to enter the password again.
Note that ldapsearch and id -a mcgrof works well on this new client box: /dhcp1a. winlab. rutgers. edu -D "uid=mcgrof, ou=People, dc=winlab, dc=rutgers, dc=edu" -W -LLL cn=mc* dn ou=auto. home,dc= winlab, dc=rutgers, dc=edu
--
root@web1:~# ldapsearch -x -H ldaps:/
Enter LDAP Password:
dn: cn=mcgrof,
dn: cn=mcyberey, ou=auto. home,dc= winlab, dc=rutgers, dc=edu 5000(staff) ,6000(sysadmin)
--
root@web1:~# id -a mcgrof
uid=230(mcgrof) gid=5000(staff) groups=
--