[OOD-users] LDAP authentication failure

Dockendorf, Trey tdockendorf at osc.edu
Wed Aug 1 13:37:57 EDT 2018

The logs will be in /var/log/httpd24.  If there is nothing useful you can try increasing the logging from mod_ldap [1].  If there is nothing sensitive in your sssd.conf, could you share that or maybe an example command you use with ldapsearch?  Feel free to send to me off-list if prefer to not publicly expose some information.  The examples in our documentation and your auth lines assume plain text LDAP over port 389 that is doing unauthenticated binds.

- Trey

[1]: https://httpd.apache.org/docs/2.4/mod/mod_ldap.html#ldaplibrarydebug

Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center

From: OOD-users <ood-users-bounces+tdockendorf=osc.edu at lists.osc.edu> on behalf of "E.M. Dragowsky" <dragowsky at case.edu>
Reply-To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Date: Wednesday, August 1, 2018 at 1:03 PM
To: User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Subject: [OOD-users] LDAP authentication failure

Hi, all --
ow can I effectively test so as to correct the ldap configuration?
I'm accustomed to using ldapsearch within the cluster, and am learning some things about ldap through the local configuration in the cpu.conf and the sssd.conf.

I have followed the prescription to configure, as below:
  - 'AuthType Basic'
  - 'AuthName "Case SSO"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPURL "ldap://<internal-ip>:389/ou=People,dc=cwru,dc=cloh,dc=osc,dc=edu?uid"'
  - 'AuthLDAPGroupAttribute memberUid'
  - 'AuthLDAPGroupAttributeIsDN off'
  - 'RequestHeader unset Authorization'
  - 'Require valid-user'

When prompted to authenticate, I enter my ldap credentials, which is rejected, and the login prompt window appears again. I'm not finding local logging of how the authentication is failing. The 'dc' values are taken from my standard usage of ldapsearch, to lookup info about our cluster user accounts.
Is the structure of the ldap call to the server adequate? How do I know what value needs to be returned, and whether the necessary value is satisfied? For example, my ldapsearch will not return a field 'memberUid', so is the 'AuthLDAPGroupAttribute memberUid' inappropriate in this case?

E.M. Dragowsky, Ph.D.
Research Computing -- UTech
Case Western Reserve University
(216) 368-0082
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20180801/76040f00/attachment-0001.html>

More information about the OOD-users mailing list