LinuxQuestions.org - nss_ldap: failed to bind to LDAP server

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - nss_ldap: failed to bind to LDAP server (https://www.linuxquestions.org/questions/linux-newbie-8/nss_ldap-failed-to-bind-to-ldap-server-916145/)

nss_ldap: failed to bind to LDAP server

Hi,

I am trying to configure openldap 2.4.23 client running on openSuSE 11.4 64 bit server with modules pam 1.1.3 nss ldap 265-9.3 and krb5 1.8.3 but I am receiving the following error message when the server connects to the ldap server (Windows Sever 2008).

Quote:

Unable to find a suitable server for domain POWELLITC

my /etc/ldap.conf settings are:

Code:

base    dc=server,dc=com

binddn  cn=Administrator,cn=Users,dc=server,dc=com

bindpw  password

port    389

bind_policy    soft

pam_lookup_policy      yes

pam_password    exop

nss_initgroups_ignoreusers      root,ldap

nss_schema      rfc2307bis

nss_map_attribute      uniqueMember member

ssl    no

uri    ldap://x.x.x.x

ldap_version    3

pam_filter      objectClass=posixAccount

my /etc/nscd.conf

Code:

        enable-cache            passwd          yes

        positive-time-to-live  passwd          600

        negative-time-to-live  passwd          20

        suggested-size          passwd          211

        check-files            passwd          yes



        enable-cache            group          yes

        positive-time-to-live  group          3600

        negative-time-to-live  group          60

        suggested-size          group          211

        check-files            group          yes



        enable-cache            hosts          yes

        positive-time-to-live  hosts          600

        negative-time-to-live  hosts          0

        suggested-size          hosts          211

        check-files            hosts          yes

my /etc/krb5.conf settings are:

Code:

[libdefaults]

        default_realm = POWELLITC.COM

        clockskew = 300



[realms]

POWELLITC = {

        kdc = x.x.x.x

        default_domain = POWELLITC

        admin_server = x.x.x.x

}

POWELLITC.COM = {

        kdc = x.x.x.x

        default_domain = powellitc.com

        admin_server = x.x.x.x

}



[logging]

        kdc = FILE:/var/log/krb5/krb5kdc.log

        admin_server = FILE:/var/log/krb5/kadmind.log

        default = SYSLOG:NOTICE:DAEMON

[domain_realm]

        .powellitc.com = POWELLITC.COM

        .powellitc = POWELLITC

        .POWELLITC = POWELLITC.COM

[appdefaults]

pam = {

        ticket_lifetime = 1d

        renew_lifetime = 1d

        forwardable = true

        proxiable = false

        minimum_uid = 1

        external = sshd

        use_shmem = sshd

}

I have successfully connected from the linux server to the ldap server using the command

Quote:

ldapsearch -x -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -W "sAMAccountName"

with password from the /etc/ldap.conf

Code:

# search result

search: 2

result: 0 Success



# numResponses: 246

# numEntries: 242

# numReferences: 3

I do not receive any errors executing the command

Quote:

kinit Administrator@POWELLITC.COM

using password from /etc/ldap.conf

I am also able to browse the ldap server using the yast ldap browser GUI. So, I am thinking there is something that I have overlooked in a configuration setting. Please help!

Thanks.

First, I am by no means an ldap expert; however there are a lot of things here that are troublesome.

The primary issues are binddn, base, and ldapsearch.

Think of binddn and base as backwards pathes - base is your root node to your ldap directory - in this case it would be your domain:

Code:

base dc=powellitc,dc=com

Your binddn would be considered your root login and in order for ldap to recall information it needs a path to get to it so it would look like this:

Code:

binddn cn=Administrator,cn=Users,dc=powellitc,dc=com

Keep in mind this information MUST match slapd.conf file on ldap server.
Also - I'm assuming all directory information has been loaded into server correctly -
If it has not you will continue to get no results.

ok - so a couple things about ldapsearch -
when using certificates simple authentication isn't required (-x, -W) You may still use simple authentication if it is set up within slapd.conf file on ldap server. Listed below are a few examples of ldapsearch calls with explanations:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W *

This will use simple authentication (no certificate) and will return all attributes listed within server with their values.

Note: ldapsearch by default uses sub as its scope. Meaning it will search all directories including sub directories. You can change scope with -s and one of three values (base,sub,children)

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID

The example listed above uses simple authentication and will return all attributes for objects associated with uid=myID.

To list only attributes stored in directory structure use:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W -A

To list specific information about a directory structure search use:

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powellitc,dc=com" -x -W uid=myID sn cn shadowMin

Thanks for the tips and pointers. I have updated the /etc/openldap/slapd.conf /etc/ldap.conf files, and restarted the ldap service. Here is the returned messages

Quote:

Nov 29 12:31:12 localhost slapd[29376]: @(#) $OpenLDAP: slapd 2.4.23 $#012#011opensuse-buildservice@opensuse.org
Nov 29 12:31:13 localhost slapd[29380]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Nov 29 12:31:13 localhost slapd[29380]: slapd starting
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 ACCEPT from IP=[::1]:60872 (IP=[::]:389)
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 BIND dn="" method=128
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=0 RESULT tag=97 err=0 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 op=2 UNBIND
Nov 29 12:31:13 localhost slapd[29380]: conn=1000 fd=13 closed

Any suggestions? Thanks.

Are you familar with LDAP? If not I recommend starting off with a simpler configuration until you get concepts. It can get fairly complicated when you start throwing in extensions, especially if you haven't set up a basic server before.

There are several variables here that make it difficult to troubleshoot. Just from that output which I guess is from -d 0 from starting slapd?

Id say start with a basic configuration and slowly add elements into conf files. When slapd doesn't start - that is error. Also, Here is a fairly extensive guide for openLDAP that might be able to shed more light on configurations: http://tldp.org/HOWTO/LDAP-HOWTO/index.html

I resolved the issue using the following procedure starting from scratch:

1. Install openldap and openldap tools
2. Generate encrypted password using

Code:

slappasswd

Quote:

{SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+

3. Edit configuration file /etc/openldap/slapd.conf for

Code:

suffix          "dc=powell,dc=com"

rootdn          "cn=Administrator,cn=Users,dc=powell,dc=com"

rootpw          {SSHA}PsJPbrbirXGB+IHq8m7M++BBZO6MvXE+

4. Start service rcldap start
5. Test connection with

Code:

ldapsearch -D "cn=Administrator,cn=Users,dc=powell,dc=com" -x -W uid=myuserid

Expected output:

Quote:

# extended LDIF
#
# LDAPv3
# base <DC=powell,DC=com> (default) with scope subtree
# filter: uid=myuserid
# requesting: ALL
#
# search reference

ref: ldap://ForestDnsZones.powell.com/DC=ForestDnsZones,DC=powell,DC=com
# search reference
ref: ldap://DomainDnsZones.powell.com/DC=DomainDnsZones,DC=powell,DC=com
# search reference
ref: ldap://powell.com/CN=Configuration,DC=powell,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 4
# numReferences: 3

6. grep slapd /var/log/messages to see results when slapd started

Quote:

Dec 10 14:29:11 serverA slapd[4710]: @(#) $OpenLDAP: slapd 2.4.17 (Mar 3 2011 09:39:43) $#012#011abuild@build21:/usr/src/packages/BUILD/openldap-2.4.17/servers/slapd

Dec 10 14:29:11 serverA slapd[4714]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Dec 10 14:29:11 serverA slapd[4714]: slapd starting
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 ACCEPT from IP=[::1]:44389 (IP=[::]:389)
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 BIND dn="" method=128
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=0 RESULT tag=97 err=0 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 10 14:29:12 serverA slapd[4714]: conn=0 op=2 UNBIND
Dec 10 14:29:12 serverA slapd[4714]: conn=0 fd=13 closed

7. Install clamav, clamdb, ldapsmb, bind
8. Add

Quote:

1.1.1.1 domain-ctrl.powell.com windctrl01

to /etc/hosts file
9. Edit file /etc/samba/smb.conf with the settings:

Code:

[global]

        workgroup = POWELL

        netbios name = serverA

        realm = POWELL.COM

        password server = domain-ctrl.powell.com

        encrypt passwords = yes

        log level = 1

        syslog = 0

        domain master = no

        winbind separator = +

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes

        printing = cups

        printcap name = cups

        printcap cache time = 750

        cups options = raw

        map to guest = Bad User

        include = /etc/samba/dhcp.conf

        logon path = \\%L\profiles\.msprofile

        logon home = \\%L\%U\.9xprofile

        logon drive = P:

        usershare allow guests = No

        security = ADS

        wins support = No

        idmap gid = 10000-20000

        idmap uid = 10000-20000

[homes]

        comment = Home Directories

        valid users = %S, %D%w%S

        browseable = No

        read only = No

        inherit acls = Yes

[profiles]

        comment = Network Profiles Service

        path = %H

        read only = No

        store dos attributes = Yes

        create mask = 0600

        directory mask = 0700

[users]

        comment = All users

        path = /home

        read only = No

        inherit acls = Yes

        veto files = /aquota.user/groups/shares/

[groups]

        comment = All groups

        path = /home/groups

        read only = No

        inherit acls = Yes

[printers]

        comment = All Printers

        path = /var/tmp

        printable = Yes

        create mask = 0600

        browseable = No

[print$]

        comment = Printer Drivers

        path = /var/lib/samba/drivers

        write list = @ntadmin root

        force group = ntadmin

        create mask = 0664

        directory mask = 0775

10. Edit /etc/krb5.conf with the settings below:

Code:

[libdefaults]



        default_realm = POWELL.COM

        clockskew = 300

[realms]



POWELL.COM = {

        kdc = domain-ctrl.powell.com

        default_domain = powell.com

        admin_server = domain-ctrl.powell.com

}



powell.com = {

        kdc = domain-ctrl.powell.com

        default_domain = powell.com

        admin_server = domain-ctrl.powell.com

}



POWELL  = {

        kdc = domain-ctrl.powell.com

        default_domain = POWELL

        admin_server = domain-ctrl.powell.com

}



[logging]

        kdc = FILE:/var/log/krb5/krb5kdc.log

        admin_server = FILE:/var/log/krb5/kadmind.log

        default = SYSLOG:NOTICE:DAEMON



[domain_realm]

        .powell.com = POWELL.COM

        .POWELL = POWELL



[appdefaults]



pam = {

        ticket_lifetime = 1d

        renew_lifetime = 1d

        forwardable = true

        proxiable = false

        minimum_uid = 0

        try_first_pass = true

}

11. Execute command

Code:

/usr/bin/kinit Administrator@POWELL.COM

to create kerberos ticket
12. execute command

Code:

klist

to view the ticket information
Expected Output:

Quote:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@POWELL.COM

Valid starting Expires Service principal
12/10/11 15:07:12 12/11/11 01:07:22 krbtgt/POWELL.COM@POWELL.COM
renew until 12/11/11 15:07:12

13. Execute command

Code:

net ads join -S domain-ctrl.powell.com -U Administrator

to join Windows domain powell.com

Expected Output:

Quote:

Enter Administrator's password:

Using short domain name -- POWELL
Joined 'serverA' to realm 'powell.com'

14. start

Code:

rcwinbind start

to start winbind service
15. Execute

Code:

wbinfo -u

to list users in the domain powell.com

Quote:

POWELL\user1
POWELL\user2
POWELL\user3

16. Logon to Windows DC server to verify the machine has been added

I hope this post was helpful to someone who has the same issue as I did!

Thanks