Community Forum

Resolved
0 votes
I'm new to ClearOS but comfortable with Linux, macOS, Windows. I have a ClearOS VM running on an ESXi host. Everything for internet, gateway, and firewall are working nicely. I'm connected through it right now.

I cannot get authentication to work. I have OpenLDAP and OpenVPN setup but I cannot get any user I create to work. The common error is that ldap shows failed: no such object. even though the user exists...

[root@robocop ~]# getent passwd | grep ahachenberg
ahachenberg:x:2000:63000:Aaron Hachenberg:/home/ahachenberg:/bin/bash
[root@robocop ~]#

Scenario1
CentOS server VM (xgator.foo.bar) is configured to auth to openLDAP (robocop.foo.bar) on ClearOS but fails with:
Dec 5 15:57:49 xgator nslcd[1065]: [51b9f3] <authc="ahachenberg"> ldap_result() failed: No such object
Dec 5 15:57:49 xgator nslcd[1065]: [51b9f3] <authc="ahachenberg"> cn=Aaron Hachenberg,ou=Users,ou=Accounts,dc=foo,dc=bar: lookup failed: No such object

Scenario2
macOS laptop with VPN client cannot connect to ClearOS OpenVPN. fails with:

Dec 5 20:24:05 robocop nslcd[1704]: [86d60e] <authc="ahachenberg"> ldap_result() failed: No such object
Dec 5 20:24:05 robocop nslcd[1704]: [86d60e] <authc="ahachenberg"> cn=Aaron Hachenberg,ou=Users,ou=Accounts,dc=foo,dc=bar: lookup failed: No such object
Dec 5 20:24:07 robocop openvpn: AUTH-PAM: BACKGROUND: user 'ahachenberg' failed to authenticate: Authentication failure
Wednesday, December 06 2017, 02:45 AM
Share this post:
Responses (6)
  • Accepted Answer

    Thursday, December 07 2017, 02:19 PM - #Permalink
    Resolved
    0 votes
    Thanks, Nick!

    I'm not sure what I did, but after fixing auth from the CentOS VM, VPN started working as well, from my MacBook. The only thing i can think of is that i toggled the publish setting on the Directory server.

    Thank you for your help! I am making progress with this setup now.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 07:58 PM - #Permalink
    Resolved
    0 votes
    I remembered the wrong file. To get OpenVPN to work when you have an LDAP password, you will need to edit /etc/openldap/slapd.conf. Down near the bottom, with the password access enabled, there is a line:
    include /etc/openldap/clearos_password_protected.conf
    This needs to be moved to the end of the file. I don't think you need to restart slapd afterwards.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 02:10 PM - #Permalink
    Resolved
    0 votes
    Thanks for your continued help! I'm not sure what two blocks of information you are referring to in nslcd.conf.

    But, that prompted me to take a look at the ClearOS server's nslcd.conf. I compared that to my Centos nslcd.conf and found some differences. Auth to the Centos machine is working now!!

    I added this to the Centos machine:
    # Customize certain database lookups.
    base group ou=Groups,ou=Accounts,dc=foo,dc=bar
    base passwd ou=Users,ou=Accounts,dc=foo,dc=bar
    base passwd ou=Computers,ou=Accounts,dc=foo,dc=bar
    base shadow ou=Users,ou=Accounts,dc=foo,dc=bar
    #base group ou=Groups,dc=example,dc=com
    #base passwd ou=People,dc=example,dc=com
    #base shadow ou=People,dc=example,dc=com
    #scope group onelevel
    #scope hosts sub

    and at the bottom
    pagesize 20000
    nss_initgroups_ignoreusers root,ldap
    ssl no
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 12:55 PM - #Permalink
    Resolved
    0 votes
    For scenario 2, if you set the Password on the Directory server, I believe the file you need to change is nslcd.conf where you have to reverse the order of last two blocks of parameters. I can't check until tonight, but you could try it.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 12:11 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick!

    Scenario 1
    Yes, I am trying to access ClearOS LDAP from a Centos7 VM. I just checked and the directory server is set to publish to local network. I have /etc/nslcd.conf and /etc/openldap/ldap.conf configured with URI ldaps://robocop.foo.bar:636

    Scenario 2
    If the password is set on Directory > Directory Server > Policies, then no. Picture attached for ref.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 06 2017, 08:52 AM - #Permalink
    Resolved
    0 votes
    In Scenario 1, are you trying to access ClearOS LDAP from Centos? If you are, in the Directory Server you need to set the Publish Policy to Local Network or All Networks. Once you do that, you need to use ldaps on port 636 and not ldap on 389. If you have to use ldap on 389, the slapd startup file needs to be hacked a little.

    In Scenario 2, have you by any chance enabled a Directory Server password? If so, please can you try removing it? If this is the cause, there is a minor edit needed to a file to fix it but I can't remember the fix for the moment. I can check this evening when back on my system.
    The reply is currently minimized Show
Your Reply