PDA

View Full Version : ldap SASL(-13): user not found: no secret in database



ecanmaster
28-Oct-2014, 11:21
hi,

Been already 2 days busy with this.
I am configuring ldap on yast and now I have an issue regarding the authentication.
My password is not being accepted even though I fill the correct password.
I have setup ldap using yast and here are some errors:

# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database

/var/log/messages:

:[rw] authid: "uid=root,cn=digest-md5,cn=auth" -> "uid=root,cn=digest-md5,cn=auth"
: slap_parseURI: parsing uid=root,cn=digest-md5,cn=auth
: >>> dnNormalize: <uid=root,cn=digest-md5,cn=auth>
: <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
: <==slap_sasl2dn: Converted SASL name to uid=root,cn=digest-md5,cn=auth
: slap_sasl_getdn: dn:id converted to uid=root,cn=digest-md5,cn=auth
: SASL Canonicalize [conn=1006]: slapAuthcDN="uid=root,cn=digest-md5,cn=auth"
: SASL Canonicalize [conn=1006]: authzid="root"
: SASL [conn=1006] Failure: no secret in database
: send_ldap_result: conn=1006 op=2 p=3
: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database"
: send_ldap_response: msgid=3 tag=97 err=49
: conn=1006 op=2 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database

LEt me know if you need more info, because of this issue I can't create users or any other tasks in openldap

# cat /etc/openldap/slapd.conf
#
# Note: The OpenLDAP configuration has been created by YaST. YaST does not
# use /etc/openldap/slapd.conf to store the OpenLDAP configuration anymore.
# YaST uses OpenLDAP's dynamic configuration database (back-config) to
# store the LDAP server's configuration.
# For details about the dynamic configuration backend please see the
# slapd-config(5) manpage or the OpenLDAP Software 2.4 Administrator's Guide
# located at /usr/share/doc/packages/openldap2/guide/admin/guide.html
# on this system.

ab
28-Oct-2014, 12:03
Try adding the '-x' option to use Simple (password) authentication. See
the manpage for details if interested.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ecanmaster
28-Oct-2014, 12:29
i tried:

# ldapwhoami
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database

# ldapwhoami -x
anonymous


this is interesting, but still I have the problem in the yast userinterface
is there an option within the yast - ldap server to change the authentication mode ?

ecanmaster
28-Oct-2014, 13:13
I think this is the problem:

The error usually occurs when the credentials (password) provided does not match the userPassword held in entry you are binding to.

The error can also occur when the bind DN specified is not known to the server.

but how can I change this or even troubleshoot this, because yast is running ldap and there is no log files

ab
28-Oct-2014, 13:56
I am going to guess you are new-ish to LDAP on the command line. Please
confirm one way or another, so we can help with appropriate levels of
verbosity.

What does the following show:



ldapsearch -x


Which users have you defined in yast? Perhaps post the output from this:



getent passwd


Have you ever setup the LDAP client on a Linux box? On SLED specifically?
Do you see the slapd (as I recall) process running, which would be the
LDAP service itself?



ps aux | grep -i slapd


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ecanmaster
28-Oct-2014, 14:21
here are the commands

# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=server-world,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# server-world.com
dn: dc=server-world,dc=com
dc: server-world
o: server-world
objectClass: organization
objectClass: dcObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

#getent passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:102:104:User for haldaemon:/var/run/hald:/bin/false
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:102:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:106:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:108:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:101:103:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
puppet:x:104:107:Puppet daemon:/var/lib/puppet:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:105:109:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:103:105:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false


#ps aux | grep -i slapd
ldap 13066 0.0 0.8 203368 14864 ? Ssl Oct27 0:00 /usr/lib/openldap/slapd -h ldap:/// ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off


I haven't setup any LDAP clients on Linux and this is the first time.
Instead of manually configuration/installation , I used the Yast ldap interface.
And I can't create any users, because of authentication errors
let me know if you need more info

jmozdzen
28-Oct-2014, 17:44
Hi ecanmaster,

I haven't setup any LDAP clients on Linux and this is the first time.
Instead of manually configuration/installation , I used the Yast ldap interface.
And I can't create any users, because of authentication errors
let me know if you need more info

haven't done this on SLED yet (just SLES), but that shouldn't make much of a difference: During LDAP client setup, you're asked for admin credentials to be used to bind to the LDAP backend. Have you entered anything there (i.e. "uid=root,cn=digest-md5,cn=auth"), or did you select "anonymous mode" instead?

When you set up the openLDAP server, you create some way to get write access to the server. Let's call that the "LDAP root account", and you'll have set up a password to go with that.

When you use YaST, configured as an LDAP client, you'll have to have write access to the LDAP tree, which is why you'd need to specify the "dn" to use to bind to the LDAP server. You'll probably use the above "LDAP root account" for that (since I doubt you have created some different account in LDAP with the required permissions). Had you only wanted to use that SLED client to *validate* accounts, not to add them, you'd might configure to bind to the LDAP server anonymously in general (and for account password verification, the client would bind to the LDAP server using the current user's credentials).

So what you probably are asked for, with your "ldapwhoami" invocation, is the password of the "*LDAP* root user", with hopefully a different password than your *Linux* root user.

On the other hand, having had separately managed LDAP servers for ages, and only adding SLES client systems with anonymous bind since then, my above statements may be all nonsense.

Regards,
Jens

ecanmaster
28-Oct-2014, 18:12
Hello Jens,

I don't think your statement could be nonsense, you probably/definitely know more then me.
First I installed OpenLDAP manually and I could configure all the settings in slapd.conf, but that system got corrupted, so I have a new machine.
I didn't want to make any mistakes so I used the yast installation (Ldap - server).
Followed all the settings correctly and yes even put the password in.
I didn't select anonymous mode.
Just to be sure I even changed the ldap password with slappasswd.
I only want to install ldap server and once it's setup , I need it to use for authentication with openvpn.
here is a printscreen of my configuration.
Thx 93

jmozdzen
28-Oct-2014, 18:34
Hi ecanmaster,

that's the *server* side of the game (the OpenLDAP server), how about the LDAP client configuration? (And it's that LDAP client setup where you may configure to contact the server anonymously, or will have to provide the "Administrator DN" from your screen shot and the password you set.)

On SLES and OpenSUSE, YaST offers me "Network Services" - "LDAP Client" (right next to "LDAP Server"). I hope it's the same on SLED, or at least sufficiently similar.

Regards,
Jens

ecanmaster
28-Oct-2014, 18:45
Hi Jens,

Excuse me for my ignorance, but do I need ldap client also?
I checked the manuall for suse, but that wasn't mentioned...

Cheers

jmozdzen
28-Oct-2014, 18:49
Hi ecanmaster,

Hi Jens,

Excuse me for my ignorance, but do I need ldap client also?

yes, you do. Basically that YaST module takes care of the configuration of your SLE* system, pointing it at your LDAP server to fetch user/group information, and downloads any additionally required modules.

You need at least one running LDAP server, somewhere in your network.
You can point any SLE* host at that LDAP server, using the LDAP client configuration.

Regards,
Jens

ecanmaster
28-Oct-2014, 19:16
I just checked and (Yast) ldap client is already enabled with correct information.
What do I need to do to get debug logs for this issue?

jmozdzen
29-Oct-2014, 11:40
Hi ecanmaster,

I just checked and (Yast) ldap client is already enabled with correct information.
What do I need to do to get debug logs for this issue?

First of all, you should see messages in syslog about failed login attempts - including error messages if LDAP access failed during those checks.

Then I'd recommend to "manually" try to access the LDAP server: use "ldapsearch -Wx -b 'dc=server-world,dc=com' -D 'cn=Administrator' " and the password you set as the LDAP admin pw. You should see the proper entries then.

What's in /etc/ldap.conf (strip all comments, please), in /etc/pam.d/common-auth and /etc/nsswitch.conf? ldap.conf contains the configuration used by the "LDAP Client" components - and those components are set up in the other files I asked for.

When I look at one of my test machines (no SLED, sorry), I see

> grep -v "^#" /etc/ldap.conf
uri ldap://firstLDAPserver.company.de ldap://secondLDAPserver.company.de
base ou=ourfolks,o=company,c=de
nss_map_attribute uniqueMember member
ssl no
pam_password exop
pam_filter objectClass=posixAccount
which tells the LDAP client to use the mentioned servers (two for redundancy), to search below "ou=ourfolks,o=company,c=d" (which is where we placed user accounts), to use no ssl (because we often do network traces for debugging) and to only look at account entries that have at least the "posixAccount" objectClass.

In common-auth you might find reference to a "pam_ldap" module, or maybe "pam_sss" (I don't know if SLED uses this - "ab", are you willing to jump in here with details?) and in nsswitch.conf this should reflect by either referencing ldap or sss for passwd and group.

Does your ldap.conf reflect the way you set up your LDAP server?

Regards,
Jens

ecanmaster
29-Oct-2014, 12:02
hello Jens,

I don't have syslog file on my system (syslog service is running though)

manually access to the server:
# ldapsearch -Wx -b 'dc=server-world,dc=com' -D 'cn=Administrator'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

here is my output:
# grep -vE '^#|^;|^$' /etc/ldap.conf
base dc=server-world,dc=com
bind_policy soft
pam_lookup_policy yes
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
uri ldap://127.0.0.1
ldap_version 3
pam_filter objectClass=posixAccount

# grep -vE '^#|^;|^$' /etc/pam.d/common-auth
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass

# grep -vE '^#|^;|^$' /etc/nsswitch.conf
passwd: compat
group: files ldap
hosts: files dns
networks: files dns
services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files
bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap


The ldap.conf file looks fine and I think the problem lies in SASL.
This is what the lof giles say:
[conn=1012]: slapAuthcDN="uid=root,cn=digest-md5,cn=auth"
slapd[1006]: SASL Canonicalize [conn=1012]: authzid="root"
slapd[1006]: SASL [conn=1012] Failure: no secret in database
slapd[1006]: send_ldap_result: conn=1012 op=2 p=3
slapd[1006]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database"
slapd[1006]: send_ldap_response: msgid=3 tag=97 err=49
slapd[1006]: conn=1012 op=2 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database

maybe I should start from scratch.
Is there a way to start over again, but without YAST openldap.
I want to configure it manually this time, so I can edit the files like slapd.conf etc.
With yast that's not possible.
I don't want to remove the software, because of dependencies and it will definitely break the system.

cheers

ecanmaster
29-Oct-2014, 14:54
hello Jens,

I have disabled the yast ldap configuration and now doing it manually, but again have the same problem.
I don't have syslog file on my suse 11 sp2 (64 bit)

# ldapsearch -Wx -b 'dc=server-world,dc=com' -D 'cn=Administrator'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

# grep -vE '^#|^;|^$' /etc/ldap.conf
base dc=server-world,dc=com
bind_policy soft
pam_lookup_policy yes
pam_password exop
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
ssl no
uri ldap://127.0.0.1
ldap_version 3
pam_filter objectClass=posixAccount

# grep -vE '^#|^;|^$' /etc/pam.d/common-auth
auth required pam_env.so
auth required pam_unix2.so


# grep -vE '^#|^;|^$' /etc/nsswitch.conf
passwd: compat
group: compat
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files

# ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database

# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=server-world,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hwidc.com
dn: dc=hwidc,dc=com
dc: hwidc
o: hwidc
objectClass: organization
objectClass: dcObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

jmozdzen
29-Oct-2014, 18:55
Hi ecanmaster,

I'm unsure how much impact the selected DNs have - your database uses a base DN of "dc=server-world,dc=com", while the entry is on "dc=hwidc,dc=com". I'd have expected the entry's DN to have a suffix of "dc=server-world,dc=com"...

Any specific reason you created it that way? If not, I'd suggest to keep the LDAP entries in the same tree you created the database for.

Another issue that is still present is the login failure on ldapsearch - I read it that you created the slapd (openldap server) configuration using slapd.conf. When you look there, in the database section, are there rootdn and rootpw entries and are those the values you tried to use for your ldapsearch invocation?

Fixing the access to your LDAP database is the first issue... only then you should commence to the system authentication setup.

Regards,
Jens

ecanmaster
30-Oct-2014, 11:27
I checked and all the DN's are the same now.

The issue is that there are no log files to troubleshoot this issue.
anyway, here is what i found, maybe somebody can read this debug log:

# ldapsearch -x -W -D 'cn=Manager,dc=hwidc,dc=com' -b "" -s base -d 255
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x7f43c35845c0 ptr=0x7f43c35845c0 end=0x7f43c35845ee len=46
0000: 30 2c 02 01 01 60 27 02 01 03 04 1a 63 6e 3d 4d 0,...`'.....cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 68 77 69 64 63 2c anager,dc=hwidc,
0020: 64 63 3d 63 6f 6d 80 06 68 75 61 77 65 69 dc=com..huawei
ber_scanf fmt ({i) ber:
ber_dump: buf=0x7f43c35845c0 ptr=0x7f43c35845c5 end=0x7f43c35845ee len=41
0000: 60 27 02 01 03 04 1a 63 6e 3d 4d 61 6e 61 67 65 `'.....cn=Manage
0010: 72 2c 64 63 3d 68 77 69 64 63 2c 64 63 3d 63 6f r,dc=hwidc,dc=co
0020: 6d 80 06 68 75 61 77 65 69 m..huawei
ber_flush2: 46 bytes to sd 3
0000: 30 2c 02 01 01 60 27 02 01 03 04 1a 63 6e 3d 4d 0,...`'.....cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 68 77 69 64 63 2c anager,dc=hwidc,
0020: 64 63 3d 63 6f 6d 80 06 68 75 61 77 65 69 dc=com..huawei
ldap_write: want=46, written=46
0000: 30 2c 02 01 01 60 27 02 01 03 04 1a 63 6e 3d 4d 0,...`'.....cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 68 77 69 64 63 2c anager,dc=hwidc,
0020: 64 63 3d 63 6f 6d 80 06 68 75 61 77 65 69 dc=com..huawei
ldap_result ld 0x7f43c357c1e0 msgid 1
wait4msg ld 0x7f43c357c1e0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f43c357c1e0 msgid 1 all 1
** ld 0x7f43c357c1e0 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Oct 30 10:22:09 2014


** ld 0x7f43c357c1e0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f43c357c1e0 request count 1 (abandoned 0)
** ld 0x7f43c357c1e0 Response Queue:
Empty
ld 0x7f43c357c1e0 response count 0
ldap_chkResponseList ld 0x7f43c357c1e0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f43c357c1e0 NULL
ldap_int_select
read1msg: ld 0x7f43c357c1e0 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 31 04 00 04 00 .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x7f43c3585640 ptr=0x7f43c3585640 end=0x7f43c358564c len=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
read1msg: ld 0x7f43c357c1e0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7f43c3585640 ptr=0x7f43c3585643 end=0x7f43c358564c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: ld 0x7f43c357c1e0 0 new referrals
read1msg: mark request completed, ld 0x7f43c357c1e0 msgid 1
request done: ld 0x7f43c357c1e0 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x7f43c3585640 ptr=0x7f43c3585643 end=0x7f43c358564c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x7f43c3585640 ptr=0x7f43c358564c end=0x7f43c358564c len=0

ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)

ecanmaster
31-Oct-2014, 14:10
A colleague of mine had a look at the server and it's working now (I don't know what he did, waiting for his reply).
This thread can be closed.