search

arthurdejong / nss-pam-ldapd

NSS and PAM modules for lookups using LDAP
https://arthurdejong.org/nss-pam-ldapd/
GNU Lesser General Public License v2.1
54 stars 42 forks source link

nslcd use ldap_sasl_bind and fail to bind #55

Open IlGab78 opened 1 year ago

IlGab78 commented 1 year ago

How can I diable ldap_sasl_bind for user credential credential verification? The simple ldap work correctly, but when nslcd try to check the user credentials, it use lsap_sasl_bind and fail even if the user credentials are ok

nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldapserver) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_simple_bind_s("CN=LdapBind_user,OU=ServiceAccounts,DC=domain,DC=net","") (uri="ldap://ldapserver") nslcd: [8b4567] DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net nslcd: [8b4567] DEBUG: myldap_search(base="CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net", filter="(objectClass=)") nslcd: [8b4567] DEBUG: ldap_initialize(ldap://ldapserver) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","*") (uri="ldap://ldapserver") (ppolicy=yes) nslcd: [8b4567] DEBUG: ldap_parse_result() result: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 nslcd: [8b4567] DEBUG: failed to bind to LDAP server ldap://ldapserver: Invalid credentials: 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839 nslcd: [8b4567] DEBUG: ldap_unbind() nslcd: [8b4567] CN=CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net: Invalid credentials nslcd: [8b4567] DEBUG: myldap_search(base="dc=domain,dc=net", filter="(&(objectClass=user)(saMAccountName=xxxxx))") nslcd: [8b4567] DEBUG: ldap_result(): CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net

arthurdejong commented 1 year ago

The

ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","")* (uri="ldap://ldapserver") (ppolicy=yes)

log indicates that an authentication attempt was made with a blank password (otherwise the second argument would have been "***".

The current code uses ldap_sasl_bind() for user authentication because normally password policy controls are passed. If the LDAP server has issues with the requested password controls you could try to set pam_authc_ppolicy no in nslcd.conf. That still uses ldap_sasl_bind() in combination with LDAP_SASL_SIMPLE though but might resolve the issue.

IlGab78 commented 1 year ago

Thank you for your reply. I think the "**" has been removed during the copy/paste in form box, because the form use the double for the bold. I repeat the test with and without "pam_authc_ppolicy no", in both case I have the triple * in the ldap_sasl_bind

With pam_authc_ppolicy no

_ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_sasl_bind("CN=MyUser,OU=xxx,OU=yyy,DC=domain,DC=net","***") (uri="ldap://ldapserver") (ppolicy=no) nslcd: [8b4567] DEBUG: ldap_parse_result() result: Unknown error nslcd: [8b4567] DEBUG: failed to bind to LDAP server ldap://ldapserver: Unknown error nslcd: [8b4567] DEBUG: ldapunbind()

The system it's an Ubuntu 20.4 LTS with nslcd 0.9.11

I made the same exact configuration on a Rocky linux 8.6 with nslcd 0.9.9 (without setting pam_authc_ppolicy to no), and it works perfectly.