# openldap configuration woes

## pilla

I am trying to configure a LDAP server for authentication. After some previous attempts with little method, I have followed the Gentoo openLDAP Howto to the letter, only changing dc=domain,dc=com to dc=lups,dc=br. I've verified that all references have been properly changed.

Using the base.ldif configuration stated in the OpenLDAP Gentoo Wiki, I've added a single test user. 

If I do a "getent passwd", I do not get the test user. However, if I comment out the ACL in /etc/openldap/slapd.conf (thus allowing anything), it works. I can even login with that user (I am still testing it in the same machine as slapd is running on).

The ACL from the Howto is as follows:

```

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to *

   by self write

   by users read

   by anonymous auth

```

What am I doing wrong?

edit: I've tried another ACL, from openldap.org:

```

access to attr=userPassword

        by self =xw

        by anonymous auth

        by * none

access to *

        by self write

        by users read

        by * none

```

The log is like:

```

Apr 16 10:51:28 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:51:28 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:51:28 localhost slapd[11673]: conn=1000 op=2 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:51:28 localhost slapd[11673]: conn=1000 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 16 10:51:28 localhost slapd[11673]: conn=1000 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=

Apr 16 10:51:28 localhost login[11712]: pam_tally2(login:auth): pam_get_uid; no such user

Apr 16 10:51:29 localhost login[11712]: pam_unix(login:auth): check pass; user unknown

Apr 16 10:51:29 localhost login[11712]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost= 

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 fd=15 ACCEPT from IP=127.0.0.1:36678 (IP=0.0.0.0:389)

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 op=0 BIND dn="" method=128

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 op=0 RESULT tag=97 err=0 text=

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 op=1 SRCH base="ou=People,dc=lups,dc=br" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber

Apr 16 10:51:29 localhost slapd[11673]: conn=1002 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=

Apr 16 10:51:29 localhost login[11712]: pam_ldap: ldap_search_s No such object

Apr 16 10:51:29 localhost login[11712]: gkr-pam: error looking up user information for: teste

Apr 16 10:51:30 localhost acpid: client 10497[0:1002] has disconnected

Apr 16 10:51:30 localhost acpid: client connected from 10497[0:1002]

Apr 16 10:51:30 localhost acpid: 1 client rule loaded

Apr 16 10:51:32 localhost login[11712]: FAILED LOGIN (1) on '/dev/tty2' FOR 'UNKNOWN', Authentication failure

Apr 16 10:52:28 localhost slapd[11673]: conn=1002 fd=15 closed (connection lost)

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:53:13 localhost slapd[11673]: conn=1000 op=3 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=portage))"

Apr 16 10:53:13 localhost slapd[11673]: conn=1000 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:53:13 localhost slapd[11673]: conn=1000 op=4 SRCH base="ou=Group,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixGroup)(memberUid=portage))"

Apr 16 10:53:13 localhost slapd[11673]: conn=1000 op=4 SRCH attr=gidNumber

Apr 16 10:53:13 localhost slapd[11673]: conn=1000 op=4 SEARCH RESULT tag=101 err=32 nentries=0 text=

Apr 16 10:53:13 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

```

edit2: log for the howto ACL:

```

Apr 16 10:58:14 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:58:14 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:58:14 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:58:14 localhost nscd: nss_ldap: closing connection 0xb8ffa1e8 fd 11

Apr 16 10:58:14 localhost nscd: nss_ldap: __session.ls_state=-1, __session.ls_conn=(nil), __euid=0, euid=0

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 fd=14 ACCEPT from IP=127.0.0.1:56995 (IP=0.0.0.0:389)

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=0 BIND dn="" method=128

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=0 RESULT tag=97 err=0 text=

Apr 16 10:58:14 localhost slapd[12021]: connection_input: conn=1000 deferring operation: binding

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=1 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 16 10:58:14 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=2 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 16 10:58:14 localhost nscd: nss_ldap: closing connection 0xb8ffa1e8 fd 11

Apr 16 10:58:14 localhost nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 op=3 UNBIND

Apr 16 10:58:14 localhost slapd[12021]: conn=1000 fd=14 closed

Apr 16 10:58:15 localhost nscd: nss_ldap: __session.ls_state=-1, __session.ls_conn=(nil), __euid=0, euid=0

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 fd=14 ACCEPT from IP=127.0.0.1:56996 (IP=0.0.0.0:389)

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=0 BIND dn="" method=128

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=0 RESULT tag=97 err=0 text=

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=1 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=

Apr 16 10:58:15 localhost nscd: nss_ldap: __session.ls_state=1, __session.ls_conn=0xb8ffa1e8, __euid=0, euid=0

Apr 16 10:58:15 localhost nscd: nss_ldap: closing connection 0xb8ffa1e8 fd 11

Apr 16 10:58:15 localhost nscd: nss_ldap: reconnecting to LDAP server (sleeping 2 seconds)...

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=2 SRCH base="ou=People,dc=lups,dc=br" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=teste))"

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 op=3 UNBIND

Apr 16 10:58:15 localhost slapd[12021]: conn=1001 fd=14 closed

...........

```

----------

## nativemad

Hi, 

i think your problem is with nss/pam! 

Either allow anonymous read to the user-attributes or create a special account with higher read privileges for nss/pam and set it as binddn in /etc/ldap.conf. 

The third option would be a complete shell login through ldap with a user with enough rights.... But honestly, i wouldn't give the "Manager" an uid 0!

HTH, Cheers

----------

## pilla

Hi nativemad

I thought it should be allowing anonymous auth by the ACL. 

```

access to attr=userPassword 

        by self =xw 

        by anonymous auth 

        by * none 

```

Am I missing something here?

Thanks.

----------

## nativemad

 *pilla wrote:*   

> Hi nativemad
> 
> I thought it should be allowing anonymous auth by the ACL. 
> 
> 

 

"auth" is just for the internal auth mechanism itself. 

You can test it with your first example by replacing "by anonymous auth" with "by anonymous read".

On the second example it would be "by * read" instead of "by * none" (on the second part).

Actually you only need that functionality to chown something with the username, get proper uid/gid resolution within for example "ls" or to get a userlist like you did it as root. A normal login should work anyway via ldap and there, these things should work that way... just the unix-user root has no access!  :Wink: 

----------

## pilla

Changing the ACL to your specs didn't work too... I can't login with that ACL.

----------

## pilla

Following your directions and the Howto, I tried 

```

access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to attr=userPassword

        by self =xw

        by anonymous read

        by * none

access to *

        by self write

        by users read

        by anonymous read

        by * read

```

...and it seems to be working now! Thank you very much.

----------

## nativemad

One thing:

You absolutely should not allow any read access to the attr=userPassword besides "self"! -Just give anonymous "auth" and you're fine.

----------

## newtonian

Thanks guys, I was able to get pam_ldap logins working by putting together both guides as the site admin points out in the top of this post.

I should put together an updated howto in the new wiki to help keep people from banging their heads against the wall when setting up pam_ldap in gentoo.

The current howto lists a padl make_master.sh file that doesn't exist and there is a nsswitch.conf issue that needs to be documented.

 *nativemad wrote:*   

> One thing:
> 
> You absolutely should not allow any read access to the attr=userPassword besides "self"! -Just give anonymous "auth" and you're fine.

 

This worked for me:

```
access to dn.base="" by * read

access to dn.base="cn=Subschema" by * read

access to attrs=userPassword

        by self =xw

        by anonymous auth

        by * none

access to *

        by self write

        by users read

        by anonymous read

        by * read
```

notice that by anonymous auth in the userPassword section and the anonymous read for *.  

I'm guessing the anonymous read for * is required because searching is required for anonymous.

The OpenLDAP permissions section in the official howto didn't work for me because

access to * section didn't contain an anonymous read value.  TODO: find out why we anonymous needs read

for auth to work.  

NOTE: attr has changed to attrs.  If you used attr you'll get a nasty deprecated warning when you restart slapd.

Cheers,

----------

