pam + ldap: pulling my hair out

Yan Seiner yan at seiner.com
Fri Jun 5 03:35:22 UTC 2009 

James Moore wrote:
>
> Yan,
>
> Have you tried using OpenLDAP's ldapsearch to run a query manually from
> the LDAP client system?
>
> Like this:
> ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
> -H ldap://192.168.128.6 "(cn=yan)"
>
> I'm assuming a lot about your configs; if the commandline switches given
> here match your nss_ldap configuration the debug output might help
> isolate the problem.  
>
> If this doesn't help, you can always run tcpdump on the LDAP client or
> server to capture the traffic passing between them and use wireshark to
> analyze it.  Had to do this when troubleshooting Linux<->Active
> Directory LDAP interoperability problems.  Saved me a lot of time.
>
> Jim Moore
>   

Thanks Jim, I've made lots of headway.... pam now connects to ldap; I'm 
not sure what the exact problem was as I've tweaked the various files 
too often to keep track.

The problem now is that logins work only for users in local 
/etc/passwd.  ldap always fails with 49 - invalid credentials:

conn=21 op=4 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
 >>> dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>
<<< dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>, 
<uid=yan2,ou=people,dc=seiner,dc=lan>
do_bind: version=3 dn="uid=yan2,ou=People,dc=seiner,dc=lan" method=128
bdb_dn2entry("uid=yan2,ou=people,dc=seiner,dc=lan")
send_ldap_result: conn=21 op=4 p=3
send_ldap_response: msgid=5 tag=97 err=49

My current hypothesis is that it has to do with encryption of the 
password...

For pam authentication, should the password stored in ldap be clear, 
crypt, md5, something else?  I remember coming across this earlier but 
for the life of me I can't find the docs.

selene:/etc/pam.d# grep -v ^# common-auth | grep -v '^ *$'
auth  sufficient  pam_ldap.so debug
auth  required    pam_unix.so use_first_pass nullok_secure
selene:/etc/pam.d# grep -v ^# common-password | grep -v '^ *$'
password  required    pam_passwdqc.so min=disabled,12,8,7,6 max=40 
passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password    sufficient    pam_ldap.so crypt debug
password  sufficient  pam_unix.so nullok use_authtok md5 shadow 
use_first_pass
password    required      pam_deny.so


--Yan

-- 
Yan Seiner

More information about the Pam-list mailing list