[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam + ldap: pulling my hair out



James Moore wrote:

Yan,

Have you tried using OpenLDAP's ldapsearch to run a query manually from
the LDAP client system?

Like this:
ldapsearch -x -W -D cn=admin,dc=seiner,dc=lan -b dc=seiner,dc=lan -d 3
-H ldap://192.168.128.6 "(cn=yan)"

I'm assuming a lot about your configs; if the commandline switches given
here match your nss_ldap configuration the debug output might help
isolate the problem.
If this doesn't help, you can always run tcpdump on the LDAP client or
server to capture the traffic passing between them and use wireshark to
analyze it.  Had to do this when troubleshooting Linux<->Active
Directory LDAP interoperability problems.  Saved me a lot of time.

Jim Moore

Thanks Jim, I've made lots of headway.... pam now connects to ldap; I'm not sure what the exact problem was as I've tweaked the various files too often to keep track.

The problem now is that logins work only for users in local /etc/passwd. ldap always fails with 49 - invalid credentials:

conn=21 op=4 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>
<<< dnPrettyNormal: <uid=yan2,ou=People,dc=seiner,dc=lan>, <uid=yan2,ou=people,dc=seiner,dc=lan>
do_bind: version=3 dn="uid=yan2,ou=People,dc=seiner,dc=lan" method=128
bdb_dn2entry("uid=yan2,ou=people,dc=seiner,dc=lan")
send_ldap_result: conn=21 op=4 p=3
send_ldap_response: msgid=5 tag=97 err=49

My current hypothesis is that it has to do with encryption of the password...

For pam authentication, should the password stored in ldap be clear, crypt, md5, something else? I remember coming across this earlier but for the life of me I can't find the docs.

selene:/etc/pam.d# grep -v ^# common-auth | grep -v '^ *$'
auth  sufficient  pam_ldap.so debug
auth  required    pam_unix.so use_first_pass nullok_secure
selene:/etc/pam.d# grep -v ^# common-password | grep -v '^ *$'
password required pam_passwdqc.so min=disabled,12,8,7,6 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
password    sufficient    pam_ldap.so crypt debug
password sufficient pam_unix.so nullok use_authtok md5 shadow use_first_pass
password    required      pam_deny.so


--Yan

--
Yan Seiner


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]