pam_ldap works, but login fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Okay - I am hoping somewhere here can see what I may have missed, as I have a feeling its something trivial but I seem to be blind. Please forgive the long post, but I know that more information than "it doesnt work" can be helpful ;) If you dont want all the config files etc, skip to #5 where i describe the problem itself.

1. I am running Gentoo, and have installed both pam_ldap and nss_ldap
2. I have an ldap server running OpenLDAP, the user I want to authenticate looks like this in ldap (note that a local /etc/passwd user with the same username does *not* exist):
dn: cn=Test U One, o=Test-Org
cn: Test U One
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: person
objectClass: top
objectClass: shadowAccount
login: test1
givenName: Test
initials: U
sn: One
mail: test1
display-name: Test User One
userPassword: [encrypted password]
gidNumber: 100
homeDirectory: /home/test1
uid: test1
uidNumber: 505
loginShell: /bin/bash


3. I setup /etc/ldap.conf and pointed passwd and shadow to ldap in nsswitch.conf with "files ldap". My /etc/ldap.conf is as follows
host [my host ip]
uri ldap://[my host ip]/
ldap_version 3
suffix ""
pam_filter objectclass=posixAccount
pam_login_attribute uid


4. I added the last 5 lines to this to make my /etc/pam.d/system-auth file (which the other /etc/pam.d/* files use):
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok nodelay
auth required /lib/security/pam_deny.so


account required /lib/security/pam_unix.so

password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so


   session    required     /lib/security/pam_limits.so
   session    optional     /lib/security/pam_unix.so

auth sufficient /lib/security/pam_ldap.so use_first_pass
account sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_ldap.so use_authtok
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session optional /lib/security/pam_ldap.so


5. So, onto the testing and description of the problem.
- The command "getent passwd | grep test1" shows: test1:x:505:100:Test U One:/home/test1:/bin/bash - GOOD
- The command "getent shadow | grep test1" shows: test1:x:::::::0 GOOD?
- If i attempt to login (at the console) with username: test1 and a *bad* password I get the following in my logs:


Dec 3 08:09:43 [login(pam_unix)] check pass; user unknown
Dec 3 08:09:43 [login(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost=
Dec 3 08:09:43 [login] pam_ldap: error trying to bind as user "cn=Test U One, o=Test-Org" (Invalid credentials)
Dec 3 08:09:43 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR test1, Authentication failure


- If i attempt to login again but with the correct password I get the following:

Dec 3 08:11:25 [login(pam_unix)] check pass; user unknown
Dec 3 08:11:25 [login(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost=
Dec 3 08:11:25 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR test1, Authentication failure


This tells me that the pam_ldap module is getting called, and is binding correctly/successfully (as the error when given a bad password does not occur when using the correct password). So the question is.. why am I still failing authentication? I have tried moving things around in /etc/pam.d/system-auth with no luck. Have I missed an attribute that is necessary in ldap, maybe one of the shadow* attributes? something in the PAM stack itself?

Thank you for your time, and for looking over things..
Nate Yocom


_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux