Hi everybody,
I am having some problems getting LDAP Authentication to work using OpenLDAP 2.4 op Scientific Linux/Centos 7.
The new server has an imported database from an old OpenLDAP 2.3 server.
The new OpenLDAP server seems to be working, for the moment without TLS and just a simple bind.
I can query and modify the directory for our dc=example,dc=com DIT using the openldap-client tools without a problem.
The problem arises when I try to authenticate to this server from intranet websites (like bugzilla) or our Fedora workstations using SSSD.
On our Bugzilla server, I get the message when logging in:
Code:
An error occurred while trying to search LDAP for "myuser": No such object
Traceback:
at Bugzilla/Auth.pm line 165, <DATA> line 755.
Bugzilla::Auth::_handle_login_result(...) called at Bugzilla/Auth.pm line 61
Bugzilla::Auth::login(...) called at Bugzilla.pm line 328
Bugzilla::login(...) called at /opt/bugzilla/index.cgi line 21
On the bugzilla instance, I have setup the correct server and the correct BaseDN (ou=People,dc=example,dc=com).
The bugzilla BaseDN has not changed since the database was imported.
The old server also uses simple bind without TLS.
Only the server url has changed.
When I try to log in on our Fedora machines using this server I simply get an "Authentication Failure".
EDIT: This was solved by adding FORCELEGACY=yes in stead of FORCELEGACY=no in /etc/sysconfig/authconfig.
I figured this out by stopping sssd and running it manually in interactive debug mode: sssd -i -d 4
I find it strange because our old LDAP server also does not use TLS, and it was working find with just the --disableldaptls flag
Code:
authconfig --enableldap \
--enableldapauth \
--dispableldaptls \
--ldapserver=ldap1.example.com \
--ldapbasedn="dc=example,dc=com" \
--enablemkhomedir \
--enablesssd \
--enablecachecreds \
--update
I am however getting the correct information from the LDAP server.
The command below returns the correct directory information:
Code:
$ getent passwd myuser
myuser:*:1001:1001:My User:/home/myuser:/bin/bash
I have tried to change the users password in ldap a couple of times using both CRYPT and SSHA to make sure it was not a password issue.
I setup a jenkinsci server using a docker container, and this appears to be authenticating to the server correctly.
Bugzilla is a problem.
I have also run a packet capture while authenticating on bugzilla.
Here you can find an obfuscated screenshot of the wireshark transaction for Bugzilla:
Capture-Screenshot
I can't post the pcap file unfortunately.
Using the GQ LDAP browser I can see all of the entries.
There is one domainComponent in the DIT:
I can also see the object:
Code:
dn: dc=example,dc=com
objectClass: top
objectClass: domain
domainComponent: example
The ou's required for authentication are also there:
Code:
dn: ou=Group,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
I have also checked if the LDAP version being used could be a problem.
The olcAllow: bind_v2 configuration setting is present.
I would almost think it is a client issue, but this would not explain why bugzilla has problems too, and that it does work on our old server.
Any help is greatly appreciated, I am really stuck here!
Thanks in advance,
Pascal
