66

How to check the LDAP connection from a client to server. I'm working on the LDAP authentication and this client desktop needs to authenticate via a LDAP server. I can SSH to the LDAP server using LDAP user but When in desktop login prompt, I can't login. It says Authentication failure.

Client machine has Cent OS 6.3 and LDAP server has Cent OS 5.5

LDAP software is Openldap.

LDAP servers logs doesn't even show any messages.

So, how to test whether the client can successfully connect to LDAP or not.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
FELDAP
  • 909
  • 2
  • 10
  • 22
  • 2
    As a minor note to this old post, you can do a search (ie ldapsearch) w/o PAM being setup, but to get users to auth via LDAP you will need PAM setup for LDAP. A basic ldapsearch just shows you have the ldap lib and client tools packages installed (ie. yum install openldap openldap-clients) and can reach the LDAP directory server(s). Its a good step in the setup or troubleshooting process. – Ernie Oct 13 '17 at 00:39

3 Answers3

60

Use ldapsearch. It will return an error if you cannot query the LDAP Server.

The syntax for using ldapsearch:

ldapsearch -x -LLL -h [host] -D [user] -w [password] -b [base DN] -s sub "([filter])" [attribute list]

A simple example

$ ldapsearch -x -LLL -h host.example.com -D user -w password -b"dc=ad,dc=example,dc=com" -s sub "(objectClass=user)" givenName

Please see this link: http://randomerror.wordpress.com/2009/10/16/quick-tip-how-to-search-in-windows-active-directory-from-linux-with-ldapsearch/

Edit: It seems you don't have pam configured corectlly for gdm/xdm here is an example how to do it: http://pastebin.com/TDK4KWRV

Sacx
  • 2,541
  • 15
  • 13
  • I'm using this command: ldapsearch -h hostname -x -b "dc=example,dc=com" 'uid=user' and it returns that user info from the LDAP database. But I'm not able to login to the desktop via LDAP authentication. – FELDAP Nov 28 '12 at 10:46
  • If your server doesn't have any error, then probably is from your client. Please take a look on the auth.log and see what is there related to ldap. – Sacx Nov 28 '12 at 10:48
  • Yes, I guess its the client. Its not even searching for the LDAP server. What should be done to make the client to lookup LDAP server for authentication? I have edited the /etc/pam.d/system-auth. You can check here: pastebin.com/jQjN7cYU – FELDAP Nov 28 '12 at 11:14
  • 1
    Use ldapwhoami with correct parameters and try to authenticate with your user. – Sacx Nov 28 '12 at 11:16
  • do you followed a tutorial to prepare the client for gdm/xdm authentication ? – Sacx Nov 28 '12 at 11:21
  • When I use ldapwhoami -h xxx.xxx.xxx.xxx -U username, it returns the error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Cannot determine realm for numeric host address)
    . I used this documentation for to configure client: http://www.server-world.info/en/note?os=CentOS_5&p=ldap&f=2
    – FELDAP Nov 28 '12 at 11:42
  • Did you check TLS ? Try to remove TLS from configuration. IS working to authenticate from console ? – Sacx Nov 28 '12 at 11:44
  • No, I did not check TLS. I didn't configure TLS. But when I try to login to the LDAP server via SSH, it works. The LDAP user gets logged in to that LDAP server. – FELDAP Nov 28 '12 at 11:51
  • Ok. that means you don't have authentication configured for Xdm. compare /etc/pam.d/sshd and /etc/pam.d/Xdm .Xdm can be gdm, kdm, lightdm etc. – Sacx Nov 28 '12 at 12:00
  • Here is some ldap configuration for GDM for pam http://ldots.org/ldap/ – Sacx Nov 28 '12 at 12:04
  • Here is the gdm: http://pastebin.com/XtVDRfbi and here is the sshd: http://pastebin.com/MLL8s5xe. Its different and how do I configure to make it work? Any helpful links? – FELDAP Nov 28 '12 at 12:10
  • Test this configuration: http://pastebin.com/TDK4KWRV – Sacx Nov 28 '12 at 12:25
  • Ok. Atleast I got the ldap working in console mode using this tutorial: http://www.server-world.info/en/note...x_6&p=ldap&f=2 . Nice tutorial, exact steps. Now I need to work on GDM ldap. – FELDAP Dec 03 '12 at 10:55
  • Your urls is browken ... – Sacx Dec 03 '12 at 11:33
  • Sorry. I think URL is suppressed when I posted here. URL is : http:// www. server-world. info/en/note?os=Scientific_Linux_6&p=ldap&f=2 . Please remove spaces. – FELDAP Dec 03 '12 at 13:10
  • An update. Now,I rebooted the client machine and when it came to login prompt (GDM). I pressed F1 to go to console mode. Then I typed getent passwd and no LDAP users were returned. So it didn't connect to LDAP server till now. Then I came back to GDM login prompt again and logged in as local user. Then opened terminal and typed getent passwd and LDAP accounts were returned. Then I thought I can try one trick. I clicked switch user and then when I came back in GDM login prompt, I typed LDAP username and password and WOW, I'm able to login to the desktop via LDAP authentication. – FELDAP Dec 04 '12 at 09:14
  • So, now the issue is, for the LDAP authentication to work, I need to first login to the local account and then switch that user and then login as LDAP user. – FELDAP Dec 04 '12 at 09:15
  • why does it work when I logged in to local account and then switch user and why it doesn't work if I do not login as local user. – FELDAP Dec 04 '12 at 09:15
8

To know if my server and clients settings are correct I use this:

ldapsearch -x -b "uid=username,ou=people,dc=example,dc=com"

the answer will be something like this on success:

# extended LDIF
#
# LDAPv3
# base <uid=username,ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# username, people, example.com
dn: uid=username,ou=people,dc=example,dc=com
cn: User Name
uid: username
uidNumber: 1050
loginShell: /bin/bash
homeDirectory: /home/webminder
gidNumber: 1030
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
gecos: User Name
sn: User Name

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

you can use different filters. I only have one server on my network

MeduZa
  • 81
  • 1
  • 3
3

Your problem is not LDAP, It's PAM.

As noted in the comments on Sacx's answer you probably do not have the console login application (usually the PAM system, xdm, gdm, etc. service(s)) configured to consult LDAP for authenticating users.

You should review the PAM documentation for more information on how to set this up.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • I have already configured those files, yet its not working. You can check the files I posted in the above comments. LDAP really lacks its documents. – FELDAP Dec 02 '12 at 07:25