Re: odd pam_ldap configuration issues

[Stefan Froehlich <ldap@Froehlich.Priv.at>]

> > Thanks for this. I forgot to point out, however, that this problem
> > is definitely not related to pam configuration. [...]

> W e l l ,  all I can say is, that I had your problem, I adopted the
> above and my problem went away. Don't forget that you didn't quote the
> whole config file above, so no-one knows what yours looks like.

I admit that this was my fault. When you dig long enough at a problem
(and I did for two days here) you tend to forget the caveats you solved
at the very beginning. I should have mentioned it here, but it seemd to
obvious.
 
Doesn't matter.

In the meantime I played with the source codes of all modules (openldap,
nss_ldap and pam_ldap), inserted debug statments at various points and
found out: the first bind via tls always fails (for a reason I still
don't know), but if I insert a second statement immediately afterwards,
everything goes find.

This means for pam_ldap.c:

|  rc = _connect_anonymously (session);
|  if (rc != PAM_SUCCESS) {
|          rc = _connect_anonymously (session);
|          if (rc != PAM_SUCCESS)  return rc;
|  }

and a similar hack for nss_ldap.c

This is extremely ugly, but it works for me here and now. As I don't
have any deeper knowledge of the matter, I will not further investigate
it, but perhaps someone else is interested in it.

I'll post the same thing on the appropriate padl-mailinglists (as I am
still not sure whether this is related to openldap or to the padl
modules).

Ciao,
  Stefan

-- 
Verstaut? Verstauter als Stefan!? Das waere der Hit!
http://www.sloganizer.de/