Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nslcd use ldap_sasl_bind and fail to bind #55

Open
IlGab78 opened this issue Oct 25, 2022 · 2 comments
Open

nslcd use ldap_sasl_bind and fail to bind #55

IlGab78 opened this issue Oct 25, 2022 · 2 comments

Comments

@IlGab78
Copy link

IlGab78 commented Oct 25, 2022

How can I diable ldap_sasl_bind for user credential credential verification?
The simple ldap work correctly, but when nslcd try to check the user credentials, it use lsap_sasl_bind and fail even if the user credentials are ok

nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_initialize(ldap://ldapserver)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_simple_bind_s("CN=LdapBind_user,OU=ServiceAccounts,DC=domain,DC=net","") (uri="ldap://ldapserver")
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net
nslcd: [8b4567] <authc="xxxxx"> DEBUG: myldap_search(base="CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net", filter="(objectClass=)")
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_initialize(ldap://ldapserver)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","")* (uri="ldap://ldapserver") (ppolicy=yes)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839
nslcd: [8b4567] <authc="xxxxx"> DEBUG: failed to bind to LDAP server ldap://ldapserver: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="xxxxx"> CN=CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net: Invalid credentials
nslcd: [8b4567] <authc="xxxxx"> DEBUG: myldap_search(base="dc=domain,dc=net", filter="(&(objectClass=user)(saMAccountName=xxxxx))")
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net
@arthurdejong
Copy link
Owner

The

ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","")* (uri="ldap://ldapserver") (ppolicy=yes)

log indicates that an authentication attempt was made with a blank password (otherwise the second argument would have been "***".

The current code uses ldap_sasl_bind() for user authentication because normally password policy controls are passed. If the LDAP server has issues with the requested password controls you could try to set pam_authc_ppolicy no in nslcd.conf. That still uses ldap_sasl_bind() in combination with LDAP_SASL_SIMPLE though but might resolve the issue.

@IlGab78
Copy link
Author

IlGab78 commented Oct 26, 2022

Thank you for your reply.
I think the "***" has been removed during the copy/paste in form box, because the form use the double * for the bold.
I repeat the test with and without "pam_authc_ppolicy no", in both case I have the triple * in the ldap_sasl_bind

With pam_authc_ppolicy no

ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","***") (uri="ldap://ldapserver") (ppolicy=no)
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_parse_result() result: Unknown error
nslcd: [8b4567] <authc="xxxxx"> DEBUG: failed to bind to LDAP server ldap://ldapserver: Unknown error
nslcd: [8b4567] <authc="xxxxx"> DEBUG: ldap_unbind()

The system it's an Ubuntu 20.4 LTS with nslcd 0.9.11

I made the same exact configuration on a Rocky linux 8.6 with nslcd 0.9.9 (without setting pam_authc_ppolicy to no), and it works perfectly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@arthurdejong @IlGab78