[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Invalid credentials
Thanks for the response. That makes a little more sense now. But isnt
it possible to have pam_ldap attempt to authenticate the same way the
ldap search does (forcing sasl external auth).
Basically I am replacing NIS with an ldap directory so all account info,
uids, gids are stored in LDAP, however the authentication is made by
(LDAP->SASL->PAM->RADIUS) which worked in my first case. Is there a way
to have pam_ldap behave the same way? Is there someway to forcefully
allow anonymous binds for pam_ldap to allow this to happen? i have the
following ACL in my slapd.conf
access to attr=userPassword
by self write
by * auth
access to *
by * read
thanks
adam
On Fri, 2003-11-14 at 02:45, Stephan Siano wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adam Denenberg schrieb:
> | Ok, sorry for the long post but i want to post as much complete
> | information as possible. My configuration is that i have an openldap
> | server (2.1.23 on redhat 8) running using TLS for communication. I use
> | SASL for authentication which uses pam authentication via radius.
> |
> | When i try and authenticate via ldapsearch it works just fine. However
> | when i try to ssh in using pam_ldap, authentication fails for some
> | reason (invalid credentials in messages file). can someone try and shed
> | some light as to what is happening here? Here are my log output for
> | both the ldapsearch (successful) and the ssh attempt (failure).
> |
> |
> | LDAPSEARCH ATTEMPT
> | ************************************************************
> | #ldapsearch -H ldap://ldap.ops.testdomain.com/ -Uadenenberg -b
> | "dc=testdomain,dc=com" -YPLAIN -LLL -ZZ "(uid=adenenberg)"
> |
>
> Hi,
>
> your result isn't too surprising in the LDAP case you don't authenticate
> ~ to the LDAP server at all, but you are using a SASL mechanism to
> authenticate to an external source.
>
> pam_lda, in contrast, tries to authenticate to the LDAP directory (it
> performs a simple bind what is actually the same as if you were doing a
> ldapsearch with the -x -D and -W parameters instead oif -U and -Y). If
> you want to authenticate your ssh-connection against the readius server
> you would need some pam_radius or the like (if this exists).
>
> Yours
> Stephan Siano
>
> - --
> - ----------------------------------------------------------------------
> Dr. Stephan Siano, Consultant
> SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
> T: +49 (0) 6196 5095131
> F: +49 (0) 6196 409607 - stephan.siano@suse.com
> - ----------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/tIgMyNxjFYe4G+cRAhy7AKCJyane+UpVrPg1uWaJ2s7eZsD1mACdHutk
> 6r0a50MXe7E/rgKYHih4HWU=
> =nXDo
> -----END PGP SIGNATURE-----
>