# openldap problems authenticating



## bluethundr (Feb 23, 2011)

Hello FreeBSD!!

I am running an openldap 2.4 server under FreeBSD that was working well until the config was tweaked by someone on the team without properly documenting their work 
x(


If I grep 'getent passwd' for an ldap account it will show that ldap account on the ldap server itself:

```
[root@LBSD2:~] #getent passwd | grep bluethundr
bluethundr:$1$jN/xxdx5$gPtH1R.2A6K3wsbNNMTBY/:1001:1002:Timothy P. Dunphy:/home/bluethundr:/usr/local/bin/bash
[root@LBSD2:~] #grep bluethundr /etc/passwd
[root@LBSD2:~] #
```

However, if I grep 'getent passwd' for an ldap account on the client side nothing turns up after a long pause


```
[root@LCENT01:~] #getent passwd | grep bluethundr
[root@LCENT01:~] #
```


This is the /usr/local/etc/ldap.conf on the ldap server (FreeBSD 8.1) and is apparently doing it's job: 



```
host LBSD.summitnjhome.com
base dc=summitnjhome,dc=com
sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw {SSHA}secret
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
```


This is how I have the /etc/ldap.conf on the ldap client (centos 5.5) which for some reason is not working:


```
host LBSD2.summitnjhome.com
base ou=staff,ou=Group,dc=summitnjhome,dc=com
sudoers_base ou=staff,ou=Group,dc=summitnjhome,dc=com
binddn cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
bindpw secret # <- password is in plaintext in this file
scope sub
pam_password exop
nss_base_passwd ou=staff,dc=summitnjhome,dc=com
nss_base_shadow ou=staff,dc=summitnjhome,dc=com
```

This is the nsswitch on the CentOS 5.5 client:



```
passwd:     files ldap
shadow:     files ldap
group:      files ldap
sudoers:    ldap
#hosts:     db files nisplus nis dns
hosts:      files dns
```

This is what's going on in the logs on the ldap server during the getent passwd from the client

```
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SRCH base="ou=staff,dc=summitnjhome,dc=com" scope=2 deref=0 filter="(objectClass=posixAccount)"
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Feb 23 02:26:54 LBSD2 slapd[52517]: conn=2472 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: activity on 1 descriptor
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: activity on:
Feb 23 02:26:54 LBSD2 slapd[52517]:  12r
Feb 23 02:26:54 LBSD2 slapd[52517]: 
Feb 23 02:26:54 LBSD2 slapd[52517]: daemon: read activity on 12
```

ldapsearch from the client as the pam_ldap services account is able to locate the ldap user info


```
ldapsearch -xH 'ldap://LBSD2.summitnjhome.com' -D 'cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com' -w 'secret' -b 'dc=summitnjhome,dc=com' '(uid=bluethundr)'
```


```
43 uid=bluethundr,cn=summitnjops,ou=staff,ou=Group,dc=summitnjhome,dc=com
uid: bluethundr
cn: Timothy P. 
givenName: Timothy P.
sn: Dunphy
mail: bluethundr@gmail.com
mailRoutingAddress: bluethundr@mail.summitnjhome.com
mailHost: mail.summitnjhome.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: ldapPublicKey
uidNumber: 1001
gidNumber: 10000
homeDirectory: /home/bluethundr
gecos: Timothy Dunphy
loginShell: /bin/bash
sshPublicKey: ssh-rsa
AAAAB3NzaC1yc2EAAFAKE-DATA-com
sshPublicKey: ssh-rsa
AAAABFAKE-DATA-FAKE_DATAxxgvmqQfKyS8i26+IelHcqRT5cgCSU
bFlPR3ouVu8eAgIE6gwKTuElIaTwJQ4QjBlaGaohEQRei0FWsfb7EzH1ikE34gJTdoaSnozU9MWc+f
tim@dunphy
userPassword: {CRYPT}secret
```

It's only the getent requests from the clients that are failing so it seems that there _has_ to be something off in the /etc/ldap.conf file. 

One thing I would like to be clear about is that the pam_ldap account that I am using to search the directory is an inetOrgPerson account and the user accounts that I am looking for are posixAccounts.

This is the ldap software I have on the FreeBSD server:


```
LBSD2# pkg_info | grep -i ldap
ldapvi-1.7_2        A tool to update LDAP entries with a text editor
openldap-sasl-client-2.4.23 Open source LDAP client implementation with SASL2 support
openldap-sasl-server-2.4.23 Open source LDAP server implementation
pam_ldap-1.8.5      A pam module for authenticating with LDAP
```

And this is what I am using on the Centos 5.5 client:


```
[root@LCENT01:~] #rpm -qa | grep -i ldap
python-ldap-2.2.0-2.1
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
ldapvi-1.7-10.el5
php-ldap-5.1.6-27.el5
openldap-clients-2.3.43-12.el5_5.3
openldap-2.3.43-12.el5_5.3
nss_ldap-253-25.el5
```

Some advice is sorely needed here. Thank you very kindly in advance!


----------

