Forum Discussion

Thomas_Keller's avatar
Thomas_Keller
Icon for Nimbostratus rankNimbostratus
Feb 26, 2020

BigIP: Ldap Authentication

Hi all,

we use ldap for user authentication. Problem is, that i need to grant access for some users in different OU.

User1 is located on OU=ADM,DC=company,DC=int and user2 in OU=OPER,DC=company,DC=int

If set Remote Directory Tree (System->users->Auhtentication) to DC=company,DC=int no user is able to login, If is set it to

OU=ADM,DC=company,DC=int

user 1 is able to login and if set to

OU=OPER,DC=company,DC=int

user2 is able to login.

If i modify /etc/nslcd.conf directly and add 2 base lines

 

base OU=ADM,DC=company,DC=int

base OU=OPER,DC=company,DC=int

 

login is possible. But direct modification is not acceptable as solution as file will be overwritten.

Any suggestions?

 

 

application delivery
BIG-IP

3 Replies

Sort By
  • Beaker's avatar
    Beaker
    Icon for Cirrus rankCirrus
    Feb 26, 2020

    This might be possible using Remote Role Groups as they have different attribute strings than base Authentication for local users

  • Thomas_Keller's avatar
    Thomas_Keller
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2020

    We use Remote Role Groups, the question is not related to local users authentication.

     

    Debug Trace if login fails:

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: [8b4567] DEBUG: connection from pid=30353 uid=48 gid=48

    nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

  • Thomas_Keller's avatar
    Thomas_Keller
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2020

     

    And this is the race if login is fine.

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: [8b4567] DEBUG: connection from pid=20294 uid=48 gid=48

    nslcd: [8b4567] <authc="adm_user"> DEBUG: nslcd_pam_authc("adm_user","httpd","***")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int", filter="(objectClass=*)")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_rebind_proc()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_simple_bind_s("CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(30,500000)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [8b4567] <authc="adm_user"> DEBUG: set_socket_timeout(15,0)

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_unbind()

    nslcd: [8b4567] <authc="adm_user"> DEBUG: bind successful

    nslcd: [8b4567] <authc="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

    nslcd: [8b4567] <authc="adm_user"> DEBUG: ldap_result(): end of results (0 total)

    nslcd: [7b23c6] DEBUG: connection from pid=20294 uid=48 gid=48

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: nslcd_pam_get_attributes("adm_user","httpd","","10.10.10.10","","***")

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_initialize(ldaps://ldap.company.int:636)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_rebind_proc()

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_simple_bind_s("CN=ldap,OU=Orga_User,OU=Benutzer,OU=company,DC=company,DC=int","***") (uri="ldaps://ldap.company.int:636")

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: set_socket_timeout(30,500000)

    nslcd: [7b23c6] <get_attributes="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [3c9869] DEBUG: connection from pid=20294 uid=48 gid=48

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: [3c9869] <authz="adm_user"> DEBUG: nslcd_pam_authz("adm_user","httpd","","10.10.10.10","")

    nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(sAMAccountName=*)(sAMAccountName=adm_user))")

    nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): CN=XXXX\, YYYYYY (ADM),OU=Benutzer,OU=ADM,DC=company,DC=int

    nslcd: [3c9869] <authz="adm_user"> DEBUG: myldap_search(base="OU=ADM,DC=company,DC=int", filter="(&(objectClass=shadowAccount)(uid=adm_user))")

    nslcd: [3c9869] <authz="adm_user"> DEBUG: ldap_result(): end of results (0 total)

    nslcd: [334873] DEBUG: connection from pid=20294 uid=48 gid=48

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable

    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable