05-Mar-2020
04:03
- last edited on
21-Nov-2022
16:23
by
JimmyPackets
Greetings,
After update from Big-IP 14.0.0.3 remote LDAP authentication fails time to time using the same correct credentials (i.e. 3 negative responses and following 2 are positive). I've tried to change idle timeout with no luck. ldapsearch responds with 0 Success code. Sometimes it takes 5 attemptes before I am logged in.
/var/log/secure:
Mar 5 13:30:13 mybigip.com err httpd[31489]: pam_ldap(httpd:auth): error reading from nslcd: Connection reset by peer
Mar 5 13:30:13 mybigip.com warning httpd[31489]: pam_unix(httpd:auth): check pass; user unknown
Mar 5 13:30:13 mybigip.com notice httpd[31489]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=192.168.5.10
Mar 5 13:30:16 mybigip.com err httpd[31489]: [auth_pam:error] [pid 31489] [client 192.168.5.10:53225] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").
Mar 5 13:30:16 mybigip.com info httpd(pam_audit)[31489]: 01070417:6: AUDIT - user f5 - RAW: httpd(pam_audit): User=f5 tty=(unknown) host=192.168.5.10 failed to login after 1 attempts (start="Thu Mar 5 13:30:13 2020" end="Thu Mar 5 13:30:16 2020").
nslcd in debug mode:
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [43a858] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: [43a858] <authc="f5"> DEBUG: nslcd_pam_authc("f5","httpd","***")
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="CN=f5,OU=admins,DC=mydomain,DC=com", filter="(objectClass=*)")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_initialize(ldap://mydomain.com:389)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_rebind_proc()
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,30)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_simple_bind_s("CN=f5,OU=admins,DC=mydomain,DC=com","***") (uri="ldap://mydomain.com:389")
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(30,500000)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): CN=f5,OU=admins,DC=mydomain,DC=com
nslcd: [43a858] <authc="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [43a858] <authc="f5"> DEBUG: ldap_unbind()
nslcd: [43a858] <authc="f5"> DEBUG: bind successful
nslcd: [43a858] <authc="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(objectClass=shadowAccount)(uid=f5))")
nslcd: [43a858] <authc="f5"> DEBUG: ldap_result(): end of results (0 total)
nslcd: [1d5ae9] DEBUG: connection from pid=31489 uid=48 gid=48
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: nslcd_pam_get_attributes("f5","httpd","","192.168.5.10","","***")
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: myldap_search(base="OU=admins,DC=mydomain,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=f5))")
nslcd: [1d5ae9] <get_attributes="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: set_socket_timeout(15,0)
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: ldap_unbind()
nslcd: [1d5ae9] <get_attributes="f5"> DEBUG: "f5": user not found: Can't contact LDAP server
/var/log/httpd/httpd_errors
Mar 5 13:13:34 mybigip.com err httpd[31490]: [auth_pam:error] [pid 31490] [client 192.168.5.10:52914] AUTHCACHE PAM: user 'f5' (fallback: false) - not authenticated: Authentication failure, referer: https://192.168.5.5/tmui/login.jsp?msgcode=1&
/var/log/daemon.log
Mar 5 13:13:33 mybigip.com warning nslcd[3968]: [a2a8d4] <authc="f5"> ldap_search_ext() failed: Can't contact LDAP server: Connection reset by peer
Thank you in advance for help=)
Solved! Go to Solution.
04-Nov-2020 06:06
The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html
05-Mar-2020 04:21
I don't have a solution, but can confirm that we have the same problem, and our logs looks a lot like yours. I've notices there are many open bugs related to ldap login, so hopefully this will be fixed soon.
22-Jul-2020
08:30
- last edited on
04-Jun-2023
21:22
by
JimmyPackets
We had the same issue but following this article we are no longer seeing the problem:
https://support.f5.com/csp/article/K72830550
tmsh modify auth ldap system-auth idle-timeout 295
04-Nov-2020 06:06
The problem was hidden in empty LDAP user attributes, you need to fill each LDIF scheme user attribute with an appropriate value to bring authentication back to work. You should not leave any single attribute empty. https://cdn.f5.com/product/bugtracker/ID950153.html