Re: pam + ldap: pulling my hair out

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


James Moore wrote:


Have you tried using OpenLDAP's ldapsearch to run a query manually from
the LDAP client system?

Like this:
ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
-H ldap:// "(cn=yan)"

I'm assuming a lot about your configs; if the commandline switches given
here match your nss_ldap configuration the debug output might help
isolate the problem.
If this doesn't help, you can always run tcpdump on the LDAP client or
server to capture the traffic passing between them and use wireshark to
analyze it.  Had to do this when troubleshooting Linux<->Active
Directory LDAP interoperability problems.  Saved me a lot of time.

Jim Moore

Thanks Jim, I've made lots of headway.... pam now connects to ldap; I'm not sure what the exact problem was as I've tweaked the various files too often to keep track.

The problem now is that logins work only for users in local /etc/passwd. ldap always fails with 49 - invalid credentials:

conn=21 op=4 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>
<<< dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>, <uid=yan2,ou=people,dc=seiner,dc=lan>
do_bind: version=3 dn="uid=yan2,ou=People,dc=seiner,dc=lan" method=128
send_ldap_result: conn=21 op=4 p=3
send_ldap_response: msgid=5 tag=97 err=49

My current hypothesis is that it has to do with encryption of the password...

For pam authentication, should the password stored in ldap be clear, crypt, md5, something else? I remember coming across this earlier but for the life of me I can't find the docs.

selene:/etc/pam.d# grep -v ^# common-auth | grep -v '^ *$'
auth  sufficient debug
auth  required use_first_pass nullok_secure
selene:/etc/pam.d# grep -v ^# common-password | grep -v '^ *$'
password required min=disabled,12,8,7,6 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password    sufficient crypt debug
password sufficient nullok use_authtok md5 shadow use_first_pass
password    required


Yan Seiner

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux