cancel
Showing results for 
Search instead for 
Did you mean: 

BigIP: Ldap Authentication

Thomas_Keller
Nimbostratus
Nimbostratus

Hi all,

we use ldap for user authentication. Problem is, that i need to grant access for some users in different OU.

User1 is located on OU=ADM,DC=company,DC=int and user2 in OU=OPER,DC=company,DC=int

If set Remote Directory Tree (System->users->Auhtentication) to DC=company,DC=int no user is able to login, If is set it to

OU=ADM,DC=company,DC=int

user 1 is able to login and if set to

OU=OPER,DC=company,DC=int

user2 is able to login.

If i modify /etc/nslcd.conf directly and add 2 base lines

 

base OU=ADM,DC=company,DC=int

base OU=OPER,DC=company,DC=int

 

login is possible. But direct modification is not acceptable as solution as file will be overwritten.

Any suggestions?

 

 

3 REPLIES 3

Beaker
Cirrus
Cirrus

This might be possible using Remote Role Groups as they have different attribute strings than base Authentication for local users

Thomas_Keller
Nimbostratus
Nimbostratus

We use Remote Role Groups, the question is not related to local users authentication.

 

Debug Trace if login fails:

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: [8b4567] DEBUG: connection from pid=30353 uid=48 gid=48

nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()

nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

Thomas_Keller
Nimbostratus
Nimbostratus

 

And this is the race if login is fine.

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: [8b4567] DEBUG: connection from pid=20294 uid=48 gid=48

nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()

nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful

nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): end of results (0 total)

nslcd: [7b23c6] DEBUG: connection from pid=20294 uid=48 gid=48

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: nslcd_pam_get_attributes("adm_user","httpd","","10.10.10.10","","***")

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_rebind_proc()

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: set_socket_timeout(30,500000)

nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [3c9869] DEBUG: connection from pid=20294 uid=48 gid=48

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: [3c9869] <authz="adm_user"> DEBUG: nslcd_pam_authz("adm_user","httpd","","10.10.10.10","")

nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): end of results (0 total)

nslcd: [334873] DEBUG: connection from pid=20294 uid=48 gid=48

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable