[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap error

To: openldap-software@OpenLDAP.org
Subject: Re: pam_ldap error
From: Jeff Gamsby <JFGamsby@lbl.gov>
Date: Mon, 01 Dec 2003 13:41:25 -0800
In-reply-to: <Pine.GSO.4.30L2.0312011532050.19878-100000@qmail>
Organization: Lawrence Berkeley National Laboratory
References: <Pine.GSO.4.30L2.0312011532050.19878-100000@qmail>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

This may be silly, but can you "su" to the ldap user? If you can, then you know it's an authentication problem. Change the password, see what that does. I use {SSHA} for my passwords. Is crypt a default password method? I think that I had to say --enable-crypt when I built openldap.

Asif Iqbal wrote:

I found the problem. I started as slapd -h ldap:///
ldaps:/// but port 636 was not open. I changed it and running as slapd -h
ldaps:/// and now it does not complain about connection problem but now it says

error: PAM: No account present for user

I do have an account for the user. To check I searched for the user and found
the user's password does not show {CRYPT}

the ldif for userPassword was {CRYPT}IIGHcSnVKzrZA but when I search the user it
shows userPassword:: e0NSWVBUfUlJR0hjU25WS3pyWkE=


Any suggestion/explanation would be greatly appreciated

On Mon, 1 Dec 2003, Csillag [iso-8859-2] Tam?s wrote:

Hi,

On Mon, Dec 01, 2003 at 02:24:16PM -0500, Asif Iqbal wrote:

On Mon, 1 Dec 2003, Jeff Gamsby wrote:

 Does ldapsearch -x work? If on Linux, how about getent passwd?

ldapsearch -x works just fine. genent passwd works fine too

pam_ldap is independent from getent passwd (it uses libnss_ldap)
and it's config file is: /etc/nsswitch.conf and /etc/{.,ldap}/ldap.conf
(the second is debian specific I think)
(But it is good to test wheather your database is available)

pam_ldap's config file is: /etc/pam_ldap.conf

If the problem is not the pam_ldap.conf file, you can try to debug it
in the following way:
tcpdump
or
(backup first!!) cp /etc/pam.d/ssh /etc/pam.d/su
strace su someuser (do this as root but remove, rootok pam module from
the list, so it will ask for password)

Asif Iqbal wrote:

Hi All

I am trying to ssh auth against the ldap server using pam_ldap and getting the
following error

Dec  1 13:03:44 scrub sshd[11979]: [ID 280705 auth.error] pam_ldap:
ldap_simple_bind Can't contact LDAP server
Dec  1 13:03:44 scrub sshd[11977]: [ID 800047 auth.error] error: PAM: Can not
retrieve authentication info

sshd auth --> pam_ldap.so (in pam.conf)

Thanks

References:
- Re: pam_ldap error
  - From: Asif Iqbal <iqbala@qwestip.net>

Prev by Date: Re: pam_ldap error
Next by Date: Re: pam_ldap error
Index(es):
- Chronological
- Thread