pam + ldap: pulling my hair out
Yan Seiner
yan at seiner.com
Fri Jun 5 03:35:22 UTC 2009
James Moore wrote:
>
> Yan,
>
> Have you tried using OpenLDAP's ldapsearch to run a query manually from
> the LDAP client system?
>
> Like this:
> ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
> -H ldap://192.168.128.6 "(cn=yan)"
>
> I'm assuming a lot about your configs; if the commandline switches given
> here match your nss_ldap configuration the debug output might help
> isolate the problem.
>
> If this doesn't help, you can always run tcpdump on the LDAP client or
> server to capture the traffic passing between them and use wireshark to
> analyze it. Had to do this when troubleshooting Linux<->Active
> Directory LDAP interoperability problems. Saved me a lot of time.
>
> Jim Moore
>
Thanks Jim, I've made lots of headway.... pam now connects to ldap; I'm
not sure what the exact problem was as I've tweaked the various files
too often to keep track.
The problem now is that logins work only for users in local
/etc/passwd. ldap always fails with 49 - invalid credentials:
conn=21 op=4 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>
<<< dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>,
<uid=yan2,ou=people,dc=seiner,dc=lan>
do_bind: version=3 dn="uid=yan2,ou=People,dc=seiner,dc=lan" method=128
bdb_dn2entry("uid=yan2,ou=people,dc=seiner,dc=lan")
send_ldap_result: conn=21 op=4 p=3
send_ldap_response: msgid=5 tag=97 err=49
My current hypothesis is that it has to do with encryption of the
password...
For pam authentication, should the password stored in ldap be clear,
crypt, md5, something else? I remember coming across this earlier but
for the life of me I can't find the docs.
selene:/etc/pam.d# grep -v ^# common-auth | grep -v '^ *$'
auth sufficient pam_ldap.so debug
auth required pam_unix.so use_first_pass nullok_secure
selene:/etc/pam.d# grep -v ^# common-password | grep -v '^ *$'
password required pam_passwdqc.so min=disabled,12,8,7,6 max=40
passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password sufficient pam_ldap.so crypt debug
password sufficient pam_unix.so nullok use_authtok md5 shadow
use_first_pass
password required pam_deny.so
--Yan
--
Yan Seiner
More information about the Pam-list
mailing list