Support building a user DN from a template
f-b-e opened this issue · comments
Hi,
I am trying to use the simple bind method for authentication of users.
To illustrate my need, please have a look to https://help.fortinet.com/fadc/4-8-0/olh/Content/FortiADC/handbook/remote_ldap_server.htm.
I can not figure out how to do it and from my understanding of the code and the debug log I get from my trials, I think this is not supported.
Is it possible to add the support ?
Thanks for your future answers.
The nslcd daemon will use a simple BIND request by default for user authentication when the PAM module is used. The debug log should contain something like:
nslcd: [efd79f] <authc="arthur"> DEBUG: nslcd_pam_authc("arthur","gdm-password","***")
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=arthur))")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_result(): uid=arthur,ou=people,dc=example,dc=com
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="uid=arthur,ou=people,dc=example,dc=com", filter="(objectClass=*)")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_initialize(ldaps://192.168.1.1/)
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_sasl_bind("uid=arthur,ou=people,dc=example,dc=com","***") (uri="ldaps://192.168.12.1/") (ppolicy=yes)
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_unbind()
nslcd: [efd79f] <authc="arthur"> DEBUG: bind successful
nslcd: [efd79f] <authc="arthur"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=shadowAccount)(uid=arthur))")
nslcd: [efd79f] <authc="arthur"> DEBUG: ldap_result(): uid=arthur,ou=people,dc=example,dc=com
While it uses the ldap_sasl_bind() function, the BIND operation to the server should be a simple bind with just a DN and a password.
Please provide more details.
Hi, Thanks for your reply.
Below is my configuration file.
log /var/log/nslcd.log debug
uid nslcd
gid nslcd
uri ldap://10.1.1.254
base dc=example,dc=local
ldap_version 3
nss_uid_offset 1000
nss_gid_offset 1000
base passwd ou=Accounts,dc=example,dc=local
filter passwd (objectClass=user)
map passwd uid sAMAccountName
map passwd gecos displayName
map passwd loginShell "/bin/bash"
map passwd homeDirectory "/home/${sAMAccountName}"
map passwd uidNumber objectSid:<...>
map passwd gidNumber objectSid:<...>
base shadow ou=Accounts,dc=example,dc=local
filter passwd (objectClass=user)
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
base group ou=Groups,dc=example,dc=local
filter group (objectClass=group)
map group userPassword ""
map group cn sAMAccountName
map group gidNumber objectSid:<...>
Below is the log
nslcd: [8b4567] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [8b4567] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=com", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_initialize(ldap://10.1.1.254)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <passwd="jsnow"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.1.1.254")
nslcd: [8b4567] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [7b23c6] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_initialize(ldap://10.1.1.254)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] <passwd="jsnow"> DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://10.1.1.254")
nslcd: [7b23c6] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [3c9869] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [3c9869] <passwd="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [3c9869] <passwd="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [334873] DEBUG: connection from pid=7580 uid=0 gid=0
nslcd: [334873] <authc="jsnow"> DEBUG: nslcd_pam_authc("jsnow","sshd","***")
nslcd: [334873] <authc="jsnow"> DEBUG: myldap_search(base="ou=Accounts,dc=example,dc=local", filter="(&(objectClass=user)(sAMAccountName=jsnow))")
nslcd: [334873] <authc="jsnow"> ldap_result() failed: Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
nslcd: [334873] <authc="jsnow"> DEBUG: "jsnow": user not found: Operations error
If I add the binddn and bindpw to my configuration this works properly.
With simple bind method, I removed binddn and bindpw from the configuration as it should use the one of the user trying to connect.
Maybe I am mistaken with the configuration.
The binddn and bindpw options are needed for your LDAP server for name lookups to work. This is what the "Operations error: 000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580" error is about. You probably need to add a role account to your LDAP server that will be used for all name lookups.
These name lookups are not tied to any particular system user because they are carried out before authentication. The first search that is done in the authc request is also a name lookup to translate the username into a user DN that can be used in the subsequent BIND operation.
You confirm what I understood from the source code:
- bind with
binddnandbindpwfrom the configuration - search the user and get its DN from user name (
validate_user+myldap_get_dn) - bind simple with the user DN, username and password (
try_bind)
Tell me if I am wrong but, from my understanding this behavior corresponds to the regular bind method:
Will it be possible to make the first bind with the credentials of the user which is trying to login ?
To do it, we shall have the ability to build the DN from the username. It implies to have all users located in the same branch.
Will it be possible to make the first bind with the credentials of the user which is trying to login ?
To do it, we shall have the ability to build the DN from the username.
While in theory this could be implemented, I don't think this will work for normal system account authentication because almost every PAM stack will lookup the user (the <passwd="jsnow"> requests) before attempting authentication. This means that user information needs to be retrieved from the LDAP server before the password is sent to the PAM module.
One scenario where this perhaps could work is when the LDAP users already exist in /etc/passwd.