OpenLDAP: Non-anonymous access for PAM/NSS

Question

I've install LDAP with PAM/NSS. So I've installed libnss-ldap libpam-ldap nscd on my Debian 9

apt-get install libnss-ldap libpam-ldap nscd

I configured it and all was working rigth. I decided to disable anonymous access. I used this ldif:

dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

Now i can't access to the users in the LDAP. Logs:

su iron
cat /var/log/auth.log

May  7 06:39:52 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication
May  7 06:39:52 DebianMM nscd: nss_ldap: reconnecting to LDAP server...
May  7 06:39:52 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication
May  7 06:39:52 DebianMM nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
May  7 06:39:53 DebianMM nscd: nss_ldap: failed to bind to LDAP server ldap://my-server.local: Inappropriate authentication
May  7 06:39:53 DebianMM nscd: nss_ldap: could not search LDAP server - Server is unavailable
May  7 06:39:53 DebianMM su[702]: No passwd entry for user 'iron'
May  7 06:39:53 DebianMM su[702]: FAILED su for iron by root
May  7 06:39:53 DebianMM su[702]: - /dev/pts/0 root:iron

This is my /etc/ldap/ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my-server,dc=local
URI     ldap://my-server.local:389

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
binddn cn=admin,dc=my-server,dc=local
bindpw password_clear

I need the login work again Thank you

May be you should check if the binddn/bindpw you are using is correct. — Diamond, May 07 '19 at 13:20
I was wrong. Have a look here: https://serverfault.com/questions/805441/openldap-as-proxy-to-active-directory-does-not-bind-with-binddn-from-slapd-conf. May be you need to add the binddn/password in nlscd.conf or pam_ldap.con. — Diamond, May 07 '19 at 13:41

Diamond · Accepted Answer · 2019-05-07T13:54:37.653

0

Adding binddn in ldap.conf doesn't work. Please ignore my previous answer.

You can try adding binddn in the following files:

/etc/libnss-ldap.conf

/etc/pam_ldap.conf

And password here:

/etc/ldap.secret

edited May 07 '19 at 13:54

answered May 07 '19 at 12:29

Diamond

8,791
3
22
37

I already tried that, but is not working – manulqwerty May 07 '19 at 13:01
@manulqwerty, it is all not very clear from your question. Then you should update your question. – Diamond May 07 '19 at 13:03
Ok, i added my /etc/ldap/ldap.conf , maybe theres a problem in it? Can I use the admin account, or i need to create another ? – manulqwerty May 07 '19 at 13:08
Have you tried it? Because it is not working for me – manulqwerty May 07 '19 at 19:45
@manulqwerty, are you still having problem? – Diamond May 08 '19 at 06:53
I fixed it reinstalling everything – manulqwerty May 08 '19 at 12:20

OpenLDAP: Non-anonymous access for PAM/NSS

1 Answers1