Open IlGab78 opened 1 year ago
The
ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","")* (uri="ldap://ldapserver") (ppolicy=yes)
log indicates that an authentication attempt was made with a blank password (otherwise the second argument would have been "***"
.
The current code uses ldap_sasl_bind()
for user authentication because normally password policy controls are passed. If the LDAP server has issues with the requested password controls you could try to set pam_authc_ppolicy no
in nslcd.conf. That still uses ldap_sasl_bind()
in combination with LDAP_SASL_SIMPLE
though but might resolve the issue.
Thank you for your reply. I think the "**" has been removed during the copy/paste in form box, because the form use the double for the bold. I repeat the test with and without "pam_authc_ppolicy no", in both case I have the triple * in the ldap_sasl_bind
With pam_authc_ppolicy no
_ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567]
The system it's an Ubuntu 20.4 LTS with nslcd 0.9.11
I made the same exact configuration on a Rocky linux 8.6 with nslcd 0.9.9 (without setting pam_authc_ppolicy to no), and it works perfectly.
How can I diable ldap_sasl_bind for user credential credential verification? The simple ldap work correctly, but when nslcd try to check the user credentials, it use lsap_sasl_bind and fail even if the user credentials are ok
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldapserver)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=LdapBind_user,OU=ServiceAccounts,DC=domain,DC=net","") (uri="ldap://ldapserver")
nslcd: [8b4567] DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net
nslcd: [8b4567] DEBUG: myldap_search(base="CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net", filter="(objectClass= )")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldapserver)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","*") (uri="ldap://ldapserver") (ppolicy=yes)
nslcd: [8b4567] DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839
nslcd: [8b4567] DEBUG: failed to bind to LDAP server ldap://ldapserver: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [8b4567] CN=CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net: Invalid credentials
nslcd: [8b4567] DEBUG: myldap_search(base="dc=domain,dc=net", filter="(&(objectClass=user)(saMAccountName=xxxxx))")
nslcd: [8b4567] DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net