LDAP authentication failure


#1

How can I effectively test so as to correct the ldap configuration? I’m accustomed to using ldapsearch within the cluster, and am learning some things about ldap through the local configuration in the cpu.conf and the sssd.conf.

I have followed the prescription to configure, as below:

auth:
  - 'AuthType Basic'
  - 'AuthName "Case SSO"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPURL
"ldap://<internal-ip>:389/ou=People,dc=cwru,dc=cloh,dc=osc,dc=edu?uid"'
  - 'AuthLDAPGroupAttribute memberUid'
  - 'AuthLDAPGroupAttributeIsDN off'
  - 'RequestHeader unset Authorization'
  - 'Require valid-user'

When prompted to authenticate, I enter my ldap credentials, which is rejected, and the login prompt window appears again. I’m not finding local logging of how the authentication is failing. The ‘dc’ values are taken from my standard usage of ldapsearch, to look up info about our cluster user accounts.

Is the structure of the ldap call to the server adequate? How do I know what value needs to be returned, and whether the necessary value is satisfied? For example, my ldapsearch will not return a field ‘memberUid’, so is the ‘AuthLDAPGroupAttribute memberUid’ inappropriate in this case?

Source: Originally posted by E.M. Dragowsky in the ood-users mailing list.


#2

The logs will be in /var/log/httpd24. If there is nothing useful you can try increasing the logging from mod_ldap. If there is nothing sensitive in your sssd.conf, could you share that or maybe an example command you use with ldapsearch? The examples in our documentation and your auth lines assume plain text LDAP over port 389 that is doing unauthenticated binds.