Cannot login as newly created LDAP user

Hello.

I'm using LDAP for authentication purposes even for the normal Unix
accounts. LDAP server is OpenLDAP 2.3.35, built by Blastwave:

,----[ pkginfo -l CSWoldap ]
| PKGINST: CSWoldap
| NAME: openldap - OpenLDAP standalone server and update replication daemons (oldap)
| CATEGORY: application
| ARCH: sparc
| VERSION: 2.3.35,REV=2007.04.14
| BASEDIR: /
| VENDOR: http://www.openldap.org/ packaged for CSW by Alex Moore
| PSTAMP: ra20070414174122
| INSTDATE: Jul 17 2007 11:25
| HOTLINE: http://www.blastwave.org/bugtrack/
| EMAIL: asmoore@xxxxxxxxxxxxx
| STATUS: completely installed
| FILES: 146 installed pathnames
| 7 shared pathnames
| 15 directories
| 53 executables
| 6923 blocks used (approx)
`----

With "old" accounts, I'm able to telnet login to every machine. I just
now created a new account, and with that account, I cannot login on one
server (winds05). I'm using LDAP client stuff from Sun on that machine.

,----[ /var/ldap/ldap_client_file ]
| #
| # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
| #
| NS_LDAP_FILE_VERSION= 2.0
| NS_LDAP_SERVERS= 10.0.1.26
| NS_LDAP_SEARCH_BASEDN= ou=RACE,o=Example
| NS_LDAP_AUTH= simple
| NS_LDAP_SEARCH_SCOPE= sub
| NS_LDAP_CACHETTL= 3600
| NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,ou=RACE,o=Example?one
| NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,ou=RACE,o=Example?one
| NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,ou=RACE,o=Example?one
| NS_LDAP_SERVICE_SEARCH_DESC= hosts:ou=Hosts,ou=RACE,o=Example?one
| NS_LDAP_SERVICE_SEARCH_DESC= services:ou=Services,ou=RACE,o=Example?one
| NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
`----

In LDAP, the newly created account looks like this:

,----[ LDIF Export of newly created account ]
| version: 1
|
| # LDIF Export for: uid=testme,ou=People,ou=RACE,o=Example
| # Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on August 14, 2007 11:27 am
| # Server: RACE LDAP Server (winds06)
| # Search Scope: base
| # Search Filter: (objectClass=*)
| # Total Entries: 1
|
| dn: uid=testme,ou=People,ou=RACE,o=Example
| gidNumber: 10
| host: winnb000488
| host: winnb000488.win.ch.da.rtr
| host: winds06
| host: winds06.win.ch.da.rtr
| host: winds05
| host: winds05.win.ch.da.rtr
| loginShell: /opt/csw/bin/bash
| mailHost: mail1.Exampleauto.com
| objectClass: inetLocalMailRecipient
| objectClass: person
| objectClass: organizationalPerson
| objectClass: inetOrgPerson
| objectClass: posixAccount
| objectClass: top
| objectClass: shadowAccount
| objectClass: hostObject
| shadowLastChange: 13503
| uid: testme
| cn: Test User
| gecos: Test Me User,testme@xxxxxx
| givenName: Test
| homeDirectory: /tmp/testme
| mail: testme@xxxxxxx
| mailRoutingAddress: testme@xxxxxxx
| roomNumber: testme@xxxxxxx
| sn: User
| uidNumber: 12345
| userPassword: {CRYPT}Io0.0TeGweGNU
`----

To be on the safe side, I copied the entry from a working entry
and modified required bits (userPassword, uidNumber, uid, dn, ...).
The system CAN resolve the newly created account:

,----[ getent passwd testme ]
| testme::12345:10:Test Me User,testme@xxxxxx:/tmp/testme:/opt/csw/bin/bash
`----

$HOME directory and login shell exist:

,----[ ls -lad /tmp/testme /opt/csw/bin/bash ]
| -rwxr-xr-x 1 root bin 1041448 Mar 10 00:52 /opt/csw/bin/bash
| drwxr-xr-x 2 testme staff 117 Aug 14 11:13 /tmp/testme
`----

I'm using this login shell for other accounts as well.

I haven't provided any logs, as I don't find any logs which seem to
relate to this :( Maybe I'm looking at the wrong places - I looked
in syslog (independent of level/facility). The only thing I find is
this for the LDAP server:

,----[ Log message ]
| Aug 14 11:37:54 winds06 slapd[11227]: [ID 925615 local4.debug] <= bdb_equality_candidates: (uid) index_param failed (18)
| Aug 14 11:37:54 winds06 slapd[11227]: [ID 580335 local4.debug] conn=2014 op=0 ENTRY dn="uid=testme,ou=people,ou=race,o=example"
`----

But that's it :( I now started slapd with a loglevel of 256, but this
also doesn't provide ME with helpful messages. You can find the output
at <http://askwar.pastebin.ca/656696>.

,----[ /etc/pam.conf ]
| login auth requisite pam_authtok_get.so.1
| login auth required pam_dhkeys.so.1
| login auth required pam_unix_auth.so.1
| login auth required pam_dial_auth.so.1
| rlogin auth sufficient pam_rhosts_auth.so.1
| rlogin auth requisite pam_authtok_get.so.1
| rlogin auth required pam_dhkeys.so.1
| rlogin auth required pam_unix_auth.so.1
| rsh auth sufficient pam_rhosts_auth.so.1
| rsh auth required pam_unix_auth.so.1
| ppp auth requisite pam_authtok_get.so.1
| ppp auth required pam_dhkeys.so.1
| ppp auth required pam_unix_auth.so.1
| ppp auth required pam_dial_auth.so.1
| other auth requisite pam_authtok_get.so.1
| other auth required pam_dhkeys.so.1
| other auth required pam_unix_auth.so.1
| passwd auth required pam_passwd_auth.so.1
| cron account required pam_projects.so.1
| cron account required pam_unix_account.so.1
| other account requisite pam_roles.so.1
| other account required pam_projects.so.1
| other account required pam_unix_account.so.1
| other session required pam_unix_session.so.1
| other password required pam_dhkeys.so.1
| other password requisite pam_authtok_get.so.1
| other password requisite pam_authtok_check.so.1
| other password required pam_authtok_store.so.1
`----

,----[ /etc/nsswitch.conf ]
| passwd: files ldap
| group: files ldap
| hosts: ldap files dns
| ipnodes: ldap files
| networks: ldap [NOTFOUND=return] files
| protocols: ldap [NOTFOUND=return] files
| rpc: ldap [NOTFOUND=return] files
| ethers: ldap [NOTFOUND=return] files
| netmasks: ldap [NOTFOUND=return] files
| bootparams: ldap [NOTFOUND=return] files
| publickey: ldap [NOTFOUND=return] files
| netgroup: ldap
| automount: files ldap
| aliases: files ldap
| services: files ldap
| printers: user files ldap
| auth_attr: files ldap
| prof_attr: files ldap
| project: files ldap
`----

Why am I unable to telnet login with this newly created account?

Thanks a lot,

Alexander Skwar
.

Relevant Pages

  • Re: nss_ldap and OpenLDAP client version
    ... you will have no end of problems if you ldap server goes down. ... because of the issues I was having, I figured I needed to configure the 'binddn' and 'bindpw' settings to get a proxy user account to bind to LDAP. ... From what I've gleaned you can do away with these settings, if the directory is setup to allow anonymous binds and reading of the required information via an anonymous bind, or otherwise you need to setup an account with very limited read-only privileges on the required entries. ...
    (freebsd-questions)
  • [NT] Security considerations to keep in mind when using Site Server 3.0
    ... Site Server version 3.0 Commerce Edition ... LDAP_Anonymous user account, which is used by the included LDAP service. ... A valid NT user account is required to upload ...
    (Securiteam)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Just tried and apparently if a user account is a member of "Domain Power ... Users" then I can query these LDAP attributes. ... While you might upgrade the schema on SBS to v31 note that a SBS R2 ...
    (microsoft.public.windows.server.sbs)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Compatible Access" we were able to query all attributes just fine on SBS. ... You can also modify your setup to allow anonymous LDAP access... ... Just tried and apparently if a user account is a member of "Domain Power ... causing us not to be able to query the UNIX attributes from ...
    (microsoft.public.windows.server.sbs)
  • Re: Less Informaion Availiable in LDAP on SBS than Server 2003
    ... Compatible Access" we were able to query all attributes just fine on SBS. ... You can also modify your setup to allow anonymous LDAP access... ... we wanted to use a very limited account, like you can use under 2003R2. ... I get the same results using ldapsearch from a UNIX command line ...
    (microsoft.public.windows.server.sbs)