cannot connect to ldap

Binary package hint: libnss-ldap

I'm having problems getting an ubuntu 6.06.1 LTS host authenticate against against itself through ldap. That is this host is the ldap server (slapd-2.2.26-5ubuntu2.2) and I am trying to get it to authenticate against itself.

Debian testing clients are able to authenticate just fine against the ldap server. Using the same client configuration files on the ubuntu server I cannot get it to authenticate against itself though through login or ssh.

I've tried this using TLS and without TLS so that shouldn't be the problem. The fact that other debian testing boxes can authenticate just fine leads me to point to an ubuntu issue. Since this is not specific to ssh (login fails too) and since the only relevant error messages are lib_nss this leads me to point the finger to libnss-ldap. Connection to itself is allowed and has been tested, no iptables rules defined. tcpdump does show communication on tcp ldaps during authentication. Using ldapsearch works just fine.

While searching for bugs I found certain bugs reported on edgy:

https://launchpad.net/distros/ubuntu/+source/libnss-ldap/+bug/70146

So I ported the patch referred to there to Dapper. At the end you will find the patch in case you find it useful. Anyway, that didn't do the trick.

--
root@dhcp1a:~/devel/libnss-ldap# ldapsearch -x -H ldaps://dhcp1a.winlab.rutgers.edu -D "uid=mcgrof,ou=People,dc=winlab,dc=rutgers,dc=edu" -W -LLL cn=mc* dn
Enter LDAP Password:
dn: cn=mcgrof,ou=auto.home,dc=winlab,dc=rutgers,dc=edu

dn: cn=mcyberey,ou=auto.home,dc=winlab,dc=rutgers,dc=edu
--
root@dhcp1a:~/devel/libnss-ldap# netstat -tlp | grep ldap
tcp 0 0 localhost:ldap *:* LISTEN 8298/slapd
tcp 0 0 *:ldaps *:* LISTEN 8298/slapd
tcp6 0 0 *:ldaps *:* LISTEN 8298/slapd

/var/log/auth.log reports:

pam_ldap: ldap_simple_bind Can't contact LDAP server

If you try again you get:

Dec 12 17:45:33 dhcp1a sshd[20330]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnecting to LDAP server...
Dec 12 17:45:33 dhcp1a sshd[20330]: nss_ldap: reconnected to LDAP server after 1 attempt(s)
Dec 12 17:45:35 dhcp1a sshd[20326]: error: PAM: Authentication service cannot retrieve authentication info. for mcgrof from localhost

--
/etc/ldap/ldap.conf

BASE dc=winlab,dc=rutgers,dc=edu
URI ldaps://dhcp1a.winlab.rutgers.edu
TLS_CACERT /etc/ldap/CAcert.pem
--
/etc/libnss-ldap.conf

host dhcp1a.winlab.rutgers.edu
base dc=winlab,dc=rutgers,dc=edu
uri ldaps://dhcp1a.winlab.rutgers.edu
ldap_version 3
port 636
bind_policy soft
ssl on
tls_checkpeer no
--
/etc/nsswitch.conf

passwd: files ldap compat
group: files ldap compat
shadow: files ldap compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
automount: ldap
--
/etc/pam.d/common-auth

auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so use_first_pass
--
/etc/pam.d/common-account

account sufficient pam_ldap.so
account required pam_unix.so
account required pam_nologin.so
--
/etc/pam.d/common-password

password sufficient pam_ldap.so use_authok
password sufficient pam_unix.so use_authtok nullok md5
--
/etc/pam.d/ssh

auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account [success=done new_authtok_reqd=done perm_denied=bad default=ignore] pam_ldap.so
account required pam_unix.so
account required pam_nologin.so
session required pam_unix.so
session required pam_limits.so
--
/etc/ssh/sshd_config

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
--
/etc/default/slapd

SLAPD_CONF=
SLAPD_USER=
SLAPD_GROUP=
SLAPD_PIDFILE=
TRY_BDB_RECOVERY=yes
SLURPD_START=auto
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:///"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
--

Backported LaMont Jones' patch for initgroups to Dapper:

diff -ur t/libnss-ldap-251/debian/changelog libnss-ldap-251/debian/changelog
--- t/libnss-ldap-251/debian/changelog 2006-11-21 07:47:11.000000000 -0700
+++ libnss-ldap-251/debian/changelog 2006-11-21 08:00:46.000000000 -0700
@@ -1,3 +1,9 @@
+libnss-ldap (251-5.2ubuntu1~proposed) edgy-updates; urgency=low
+
+ * Backport 253 fix for initgroups. Closes: ubuntu#70146
+
+ -- LaMont Jones <email address hidden> Tue, 21 Nov 2006 07:50:16 -0700
+
 libnss-ldap (251-5.2) unstable; urgency=high

   * Non-maintainer upload.
diff -ur t/libnss-ldap-251/ldap-grp.c libnss-ldap-251/ldap-grp.c
--- t/libnss-ldap-251/ldap-grp.c 2006-06-21 20:39:26.000000000 -0600
+++ libnss-ldap-251/ldap-grp.c 2006-11-21 07:48:26.000000000 -0700
@@ -19,7 +19,7 @@
  */

 static char rcsId[] =
- "$Id: ldap-grp.c,v 2.105 2006/03/22 13:18:56 lukeh Exp $";
+ "$Id: ldap-grp.c,v 2.106 2006/09/13 06:33:09 lukeh Exp $";

 #include "config.h"

@@ -33,6 +33,7 @@
 #include <pthread.h>
 #endif

+#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
@@ -719,7 +720,18 @@
          return NSS_TRYAGAIN;
        }
     }
- if (*(lia->start) == *(lia->size))
+
+ if (*(lia->size) == 0)
+ {
+ *(lia->groups) = (gid_t *) realloc(*(lia->groups),
+ LDAP_NSS_NGROUPS * sizeof (gid_t));
+ if (*(lia->groups) == NULL)
+ {
+ return NSS_TRYAGAIN;
+ }
+ *(lia->size) = LDAP_NSS_NGROUPS;
+ }
+ else if (*(lia->start) == *(lia->size))
     {
       /* Need a bigger buffer */
       *(lia->groups) = (gid_t *) realloc (*(lia->groups),
@@ -730,6 +742,10 @@
        }
       *(lia->size) *= 2;
     }
+ else
+ {
+ assert(*(lia->start) < *(lia->size));
+ }

   /* weed out duplicates; is this really our responsibility? */
   for (i = 0; i < *(lia->start); i++)
diff -ur t/libnss-ldap-251/ldap-netgrp.c libnss-ldap-251/ldap-netgrp.c
--- t/libnss-ldap-251/ldap-netgrp.c 2006-06-21 20:39:26.000000000 -0600
+++ libnss-ldap-251/ldap-netgrp.c 2006-11-21 07:48:26.000000000 -0700
@@ -18,11 +18,11 @@
    write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
    Boston, MA 02111-1307, USA.

- $Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $
+ $Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $
  */

 static char rcsId[] =
- "$Id: ldap-netgrp.c,v 2.44 2006/01/11 18:03:48 lukeh Exp $";
+ "$Id: ldap-netgrp.c,v 2.45 2006/09/13 06:35:48 lukeh Exp $";

 #include "config.h"

@@ -791,7 +791,6 @@
 static NSS_STATUS
 _nss_ldap_innetgr (nss_backend_t * be, void *_args)
 {
- NSS_STATUS stat = NSS_NOTFOUND;
   struct nss_innetgr_args *args = (struct nss_innetgr_args *) _args;
   int i;

@@ -806,28 +805,27 @@
      args->arg[NSS_NETGR_MACHINE].argc, args->arg[NSS_NETGR_USER].argc,
      args->arg[NSS_NETGR_DOMAIN].argc, args->groups.argc);

- /* Presume these are harmonized -- this is a strange interface */
- assert (args->arg[NSS_NETGR_MACHINE].argc == 0 ||
- args->arg[NSS_NETGR_MACHINE].argc == args->groups.argc);
- assert (args->arg[NSS_NETGR_USER].argc == 0 ||
- args->arg[NSS_NETGR_USER].argc == args->groups.argc);
- assert (args->arg[NSS_NETGR_DOMAIN].argc == 0 ||
- args->arg[NSS_NETGR_DOMAIN].argc == args->groups.argc);
+ /* note: mountd on Solaris does set multiple 'groups' with one 'arg' for
+ * efficiency reasons */
+
+ assert (args->arg[NSS_NETGR_MACHINE].argc <= 1);
+ assert (args->arg[NSS_NETGR_USER].argc <= 1);
+ assert (args->arg[NSS_NETGR_DOMAIN].argc <= 1);

   _nss_ldap_enter ();

+ const char *machine = (args->arg[NSS_NETGR_MACHINE].argc != 0) ?
+ args->arg[NSS_NETGR_MACHINE].argv[0] : NULL;
+ const char *user = (args->arg[NSS_NETGR_USER].argc != 0) ?
+ args->arg[NSS_NETGR_USER].argv[0] : NULL;
+ const char *domain = (args->arg[NSS_NETGR_DOMAIN].argc != 0) ?
+ args->arg[NSS_NETGR_DOMAIN].argv[0] : NULL;
+
   for (i = 0; i < args->groups.argc; i++)
     {
       NSS_STATUS parseStat;
       ldap_innetgr_args_t li_args;

- const char *machine = (args->arg[NSS_NETGR_MACHINE].argc != 0) ?
- args->arg[NSS_NETGR_MACHINE].argv[i] : NULL;
- const char *user = (args->arg[NSS_NETGR_USER].argc != 0) ?
- args->arg[NSS_NETGR_USER].argv[i] : NULL;
- const char *domain = (args->arg[NSS_NETGR_DOMAIN].argc != 0) ?
- args->arg[NSS_NETGR_DOMAIN].argv[i] : NULL;
-
       li_args.lia_netgroup = args->groups.argv[i];
       li_args.lia_netgr_status = NSS_NETGR_NO;
       li_args.lia_depth = 0;
@@ -846,15 +844,15 @@

       if (args->status == NSS_NETGR_FOUND)
        {
- stat = NSS_SUCCESS;
+ _nss_ldap_leave ();
+ debug ("<== _nss_ldap_innetgr (FOUND)");
+ return NSS_SUCCESS;
        }
     }

   _nss_ldap_leave ();
-
- debug ("<== _nss_ldap_innetgr");
-
- return stat;
+ debug ("<== _nss_ldap_innetgr (not found)");
+ return NSS_NOTFOUND;
 }

 /*
diff -ur t/libnss-ldap-251/ldap-nss.h libnss-ldap-251/ldap-nss.h
--- t/libnss-ldap-251/ldap-nss.h 2006-11-21 07:47:11.000000000 -0700
+++ libnss-ldap-251/ldap-nss.h 2006-11-21 07:48:26.000000000 -0700
@@ -96,9 +96,9 @@
  * unacceptable, in which case you may wish to adjust
  * the constants below.
  */
-#define LDAP_NSS_TRIES 5 /* number of sleeping reconnect attempts */
-#define LDAP_NSS_SLEEPTIME 4 /* seconds to sleep; doubled until max */
-#define LDAP_NSS_MAXSLEEPTIME 64 /* maximum seconds to sleep */
+#define LDAP_NSS_TRIES 1 /* number of sleeping reconnect attempts */
+#define LDAP_NSS_SLEEPTIME 1 /* seconds to sleep; doubled until max */
+#define LDAP_NSS_MAXSLEEPTIME 8 /* maximum seconds to sleep */
 #define LDAP_NSS_MAXCONNTRIES 2 /* reconnect attempts before sleeping */

 #if defined(HAVE_NSSWITCH_H) || defined(HAVE_IRS_H)
@@ -691,6 +691,9 @@
 void _nss_ldap_block_sigpipe (void);
 void _nss_ldap_unblock_sigpipe (void);

+void _nss_ldap_block_sigpipe (void);
+void _nss_ldap_unblock_sigpipe (void);
+
 /*
  * Acquire global nss_ldap lock and blocks SIGPIPE.
  * Generally this should only be done within ldap-nss.c.