James Moore wrote:
Yan,
Have you tried using OpenLDAP's ldapsearch to run a query manually from
the LDAP client system?
Like this:
ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
-H ldap://192.168.128.6 "(cn=yan)"
I'm assuming a lot about your configs; if the commandline switches given
here match your nss_ldap configuration the debug output might help
isolate the problem.
If this doesn't help, you can always run tcpdump on the LDAP client or
server to capture the traffic passing between them and use wireshark to
analyze it. Had to do this when troubleshooting Linux<->Active
Directory LDAP interoperability problems. Saved me a lot of time.
Jim Moore
Thanks Jim, I've made lots of headway.... pam now connects to ldap; I'm
not sure what the exact problem was as I've tweaked the various files
too often to keep track.
The problem now is that logins work only for users in local
/etc/passwd. ldap always fails with 49 - invalid credentials:
conn=21 op=4 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>
<<< dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>,
<uid=yan2,ou=people,dc=seiner,dc=lan>
do_bind: version=3 dn="uid=yan2,ou=People,dc=seiner,dc=lan" method=128
bdb_dn2entry("uid=yan2,ou=people,dc=seiner,dc=lan")
send_ldap_result: conn=21 op=4 p=3
send_ldap_response: msgid=5 tag=97 err=49
My current hypothesis is that it has to do with encryption of the
password...
For pam authentication, should the password stored in ldap be clear,
crypt, md5, something else? I remember coming across this earlier but
for the life of me I can't find the docs.
selene:/etc/pam.d# grep -v ^# common-auth | grep -v '^ *$'
auth sufficient pam_ldap.so debug
auth required pam_unix.so use_first_pass nullok_secure
selene:/etc/pam.d# grep -v ^# common-password | grep -v '^ *$'
password required pam_passwdqc.so min=disabled,12,8,7,6 max=40
passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password sufficient pam_ldap.so crypt debug
password sufficient pam_unix.so nullok use_authtok md5 shadow
use_first_pass
password required pam_deny.so
--Yan
--
Yan Seiner
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list