Forum Discussion
NimbostratusBigIP: Ldap Authentication
Hi all,
we use ldap for user authentication. Problem is, that i need to grant access for some users in different OU.
User1 is located on OU=ADM,DC=company,DC=int and user2 in OU=OPER,DC=company,DC=int
If set Remote Directory Tree (System->users->Auhtentication) to DC=company,DC=int no user is able to login, If is set it to
OU=ADM,DC=company,DC=int
user 1 is able to login and if set to
OU=OPER,DC=company,DC=int
user2 is able to login.
If i modify /etc/nslcd.conf directly and add 2 base lines
base OU=ADM,DC=company,DC=int
base OU=OPER,DC=company,DC=int
login is possible. But direct modification is not acceptable as solution as file will be overwritten.
Any suggestions?
3 Replies
BeakerCirrus
This might be possible using Remote Role Groups as they have different attribute strings than base Authentication for local users
Thomas_KellerWe use Remote Role Groups, the question is not related to local users authentication.
Debug Trace if login fails:
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] DEBUG: connection from pid=30353 uid=48 gid=48
nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")
- Thomas_Keller
And this is the race if login is fine.
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] DEBUG: connection from pid=20294 uid=48 gid=48
nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful
nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")
nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [7b23c6] DEBUG: connection from pid=20294 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: nslcd_pam_get_attributes("adm_user","httpd","","10.10.10.10","","***")
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: set_socket_timeout(30,500000)
nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [3c9869] DEBUG: connection from pid=20294 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [3c9869] <authz="adm_user"> DEBUG: nslcd_pam_authz("adm_user","httpd","","10.10.10.10","")
nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")
nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int
nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")
nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [334873] DEBUG: connection from pid=20294 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
![\"F5](\"https://www.f5.com/content/dam/f5/f5-logo.svg\"){kind=logo}
