[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid credentials

To: Stephan Siano <stephan.siano@suse.de>
Subject: Re: Invalid credentials
From: Adam Denenberg <adam@dberg.org>
Date: Fri, 14 Nov 2003 08:52:29 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3FB4880C.7060009@suse.de>
References: <1068759645.615.42.camel@localhost.localdomain> <3FB4880C.7060009@suse.de>

Thanks for the response.  That makes a little more sense now.  But isnt
it possible to have pam_ldap attempt to authenticate the same way the
ldap search does (forcing sasl external auth).

Basically I am replacing NIS with an ldap directory so all account info,
uids, gids are stored in LDAP, however the authentication is made by
(LDAP->SASL->PAM->RADIUS) which worked in my first case.  Is there a way
to have pam_ldap behave the same way?  Is there someway to forcefully
allow anonymous binds for pam_ldap to allow this to happen? i have the
following ACL in my slapd.conf

access to attr=userPassword
        by self write
        by * auth
                                                                                    access to *
        by * read


thanks
adam




On Fri, 2003-11-14 at 02:45, Stephan Siano wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Adam Denenberg schrieb:
> | Ok, sorry for the long post but i want to post as much complete
> | information as possible. My configuration is that i have an openldap
> | server (2.1.23 on redhat 8) running using TLS for communication.  I use
> | SASL for authentication which uses pam authentication via radius.
> |
> | When i try and authenticate via ldapsearch it works just fine.  However
> | when i try to ssh in using pam_ldap, authentication fails for some
> | reason (invalid credentials in messages file).  can someone try and shed
> | some light as to what is happening here?  Here are my log output for
> | both the ldapsearch (successful) and the ssh attempt (failure).
> |
> |
> | LDAPSEARCH ATTEMPT
> | ************************************************************
> | #ldapsearch -H ldap://ldap.ops.testdomain.com/ -Uadenenberg  -b
> | "dc=testdomain,dc=com" -YPLAIN  -LLL -ZZ "(uid=adenenberg)"
> |
> 
> Hi,
> 
> your result isn't too surprising in the LDAP case you don't authenticate
> ~ to the LDAP server at all, but you are using a SASL mechanism to
> authenticate to an external source.
> 
> pam_lda, in contrast, tries to authenticate to the LDAP directory (it
> performs a simple bind what is actually the same as if you were doing a
> ldapsearch with the -x -D and -W parameters instead oif -U and -Y). If
> you want to authenticate your ssh-connection against the readius server
> you would need some pam_radius or the like (if this exists).
> 
> Yours
> Stephan Siano
> 
> - --
> - ----------------------------------------------------------------------
> Dr. Stephan Siano, Consultant
> SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
> T: +49 (0) 6196 5095131
> F: +49 (0) 6196 409607    - stephan.siano@suse.com
> - ----------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/tIgMyNxjFYe4G+cRAhy7AKCJyane+UpVrPg1uWaJ2s7eZsD1mACdHutk
> 6r0a50MXe7E/rgKYHih4HWU=
> =nXDo
> -----END PGP SIGNATURE-----
>

Follow-Ups:
- Re: Invalid credentials
  - From: Stephan Siano <stephan.siano@suse.de>

References:
- Invalid credentials
  - From: Adam Denenberg <adam@dberg.org>
- Re: Invalid credentials
  - From: Stephan Siano <stephan.siano@suse.de>

Prev by Date: Re: slapd doesn't run as daemon
Next by Date: RE: Problems with openldap-2.1.22 slowing down over time.
Index(es):
- Chronological
- Thread