Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 01-30-2008, 08:28 AM   #1
LQ Newbie
Registered: Jan 2008
Location: Bangalore, India
Distribution: CentOS
Posts: 4

Rep: Reputation: 0
ldap authentication problem


I have installed openldap server on 1 machine ( It is CentOS 4.4.
I created a ldap user named 'ramesh' on this machine.

The openldap client is installed on another machine ( It is CentOS 5.
To enable ldap authentication, I modified 3 files on this machine:
1) /etc/ldap.conf
2) /etc/openldap/ldap.conf
3) /etc/nsswitch.conf
I wish to access using ldap-user ramesh.
But I am unable to do so.

The details are as follows:

The output of "getent passwd ramesh" command on client machine ( is:
ramesh:x:701:700:Ramesh Patil:/home/ramesh:/bin/bash

The output of "finger ramesh" command is:
Login: ramesh Name: Ramesh Patil
Directory: /home/ramesh Shell: /bin/bash
Never logged in.
No mail.
No Plan.

The output of ldapsearch command is as follows:
dn: uid=ramesh,dc=mwm,dc=com
objectClass: top
objectClass: posixAccount
objectClass: account
objectClass: shadowAccount
cn: Ramesh Patil
uid: ramesh
uidNumber: 701
gidNumber: 700
loginShell: /bin/bash
homeDirectory: /home/ramesh
shadowLastChange: 13908
shadowMin: 0
shadowMax: 99999
shadowInactive: -1
shadowWarning: 7
shadowFlag: 0
shadowExpire: -1
userPassword:: cmFtZXNo


On client machine (, the files are as follows:
(PS: I have ignored comment lines in all files)
1) /etc/ldap.conf
base dc=mwm,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600

2) /etc/openldap/ldap.conf
BASE dc=mwm,dc=com
TLS_CACERTDIR /etc/openldap/cacerts

3) /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: nisplus ldap
publickey: nisplus
automount: files ldap
aliases: files

On ldap-server machine (, the /etc/openldap/slapd.conf is as follows:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema

pidfile /var/run/
argsfile /var/run/slapd.args

database bdb
suffix "dc=mwm,dc=com"
rootdn "cn=Manager,dc=mwm,dc=com"
rootpw {SSHA}ZU7FCC7Y+RDeMnC6Y4q2YPa6KOd5TyTS

directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub


I read many how-to and manuals regarding ldap authentication.
Still no success in solving this problem.

Kindly tell me if I am missing something.
Thanks in advance.

Old 01-30-2008, 08:38 AM   #2
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 297

Rep: Reputation: 49
You are missing libpam-ldap or just haven't configured it yet.
Old 01-31-2008, 12:19 AM   #3
LQ Newbie
Registered: Jan 2008
Location: Bangalore, India
Distribution: CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
problem solved


Thanks rupertwh for your advice.

On client machine ( I run the following command:
# authconfig-tui

It displayed a menu as shown below.
I selected the options as indicated by asterisk(*).

───────────────┤ Authentication Configuration ├────────────────

User Information _______ Authentication
[ ] Cache Information ____[*] Use MD5 Passwords
[ ] Use Hesiod _________[*] Use Shadow Passwords
[*] Use LDAP ___________[*] Use LDAP Authentication
[ ] Use NIS ____________ [ ] Use Kerberos
[ ] Use Winbind ________ [ ] Use SMB Authentication
______________________ [ ] Use Winbind Authentication
______________________[*] Local authorization is sufficient

┌──────┐ ┌────┐
│Cancel│ │Next│
└──────┘ └────┘

On clicking "Next" the following menu was displayed.
I entered the Server and Base DN as shown below:
(Note: is the machine where ldap server is installed).

────────────────┤ LDAP Settings ├───────────────

[ ] Use TLS
Server: ldap://
Base DN: dc=mwm,dc=com__________________________

┌────┐ ┌──┐
│Back│ │Ok│
└────┘ └──┘

This solved the problem.
Now I am able to login on client machine( using ldap-user.
Old 02-27-2008, 12:57 AM   #4
LQ Newbie
Registered: Feb 2008
Posts: 1

Rep: Reputation: 0
Angry RHEL 5 - LDAP user authentication

The task is to have the server using corporate ldap server for user authentication.

I have spend several days but unable to move any further except following:

1) I have installed....

2) Configured ldap client and can hit the ldap server and get following response:

[root@poc-mcs-004 etc]# ldapsearch -x -LLL uid=muhshaik
dn: uid=muhshaik,ou=active,ou=employees,ou=people,
voicemail: XXX XXXX
telephoneNumber: +1 XXX XXX XXXX
ciscoITInternalPhoneNumber: XXXXXXX
site: San Jose Site 4
roomNumber: G5-9
registeredAddress: 3550 Cisco Way
postOfficeBox: SJC19/4/4
postalCode: 95134
locationtype: TRADITIONAL
floor: 4
country: United States
city: San Jose
building: SJ-19
groupmembership: allusers
groupmembership: c2cusers
groupmembership: c2users
groupmembership: cdo_all
groupmembership: csg-codedrop
groupmembership: dpt21633
groupmembership: engall
groupmembership: engonly
groupmembership: fit-users
groupmembership: guido
groupmembership: ibsgit
groupmembership: owt370-r
groupmembership: owtallusers
groupmembership: relops-website
groupmembership: rlspreview-eng
groupmembership: solpmt
groupmembership: tsbu
manageruid: XXXXX
vendorname: XXX Software Services Inc
status: Active
publishpager: n
title: System Engineer
employeeNumber: XXXXXX
cn: Mxxxxxxx Sxxxxx
employeeType: Vendor
uid: muhshaik
epage: n
publishmobile: n
description: TXBU Engineering
supportorganization: n
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: ciscoPerson
publishpicture: y
manager: Gxxxx Hxxx (gxxxxx)
sn: Shaikh
givenName: Mxxxxxxx
departmentNumber: XXXXXXXXX

Also see the configuration for pam:
[root@poc-mcs-004 pam.d]# cat system-auth-ac
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required

account required broken_shadow
account sufficient
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional

But when I try to login as muhshaik, it fails as Access Denied, I grep for logs as:
login as: muhshaik
muhshaik@poc-mcs-004's password:
Access denied
muhshaik@poc-mcs-004's password:

See messages in log files:
tail -f /var/log/messages

Feb 26 22:54:01 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1)
Feb 26 22:54:22 poc-mcs-004 nscd: nss_ldap: reconnected to LDAP server ldap:// after 1 attempt
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1)
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer 'ia_addr' insert (-1)
Feb 26 22:54:31 poc-mcs-004 snmpd[12320]: error on subcontainer '' insert (-1)

tail -f /var/log/secure
Feb 26 22:54:22 poc-mcs-004 sshd[25721]: Invalid user muhshaik from
Feb 26 22:54:22 poc-mcs-004 sshd[25722]: input_userauth_request: invalid user muhshaik
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): check pass; user unknown
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
Feb 26 22:54:27 poc-mcs-004 sshd[25721]: pam_succeed_if(sshd:auth): error retrieving information about user muhshaik
Feb 26 22:54:28 poc-mcs-004 sshd[25721]: Failed password for invalid user muhshaik from port 2718 ssh2

Could some please let me know what is wrong here, am I doing something missing here, why my login is not working.

Last edited by muhshaik; 02-27-2008 at 02:25 AM.
Old 02-27-2008, 01:46 AM   #5
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Am I blind? I can't see a password in the user entry.

Here's what I have in a trial ldap entry (just play directory), difference schema by the looks

dn: uid=elsie,ou=People,dc=example,dc=com
structuralObjectClass: account
entryUUID: d60c0ede-69a9-102c-8dc3-8b8e30ae185f
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20080207092141Z
uid: ###
cn: ####
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: (hashed password was here)
shadowLastChange: 13889
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: #
gidNumber: #
homeDirectory: /home/###
gecos: ###
entryCSN: 20080208070548Z#000004#00#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20080208070548Z
Old 04-01-2008, 10:34 AM   #6
LQ Newbie
Registered: Oct 2007
Location: Newport News, VA
Distribution: Solaris, Redhat, FC5.6.7.8
Posts: 11

Rep: Reputation: 2
In the world of the LDAP turns LOL
I have FDS running. Runs good (IMHO)
have SSL/TLS or is that TLS/SSL not sure

have three computers

If I turn off the TLS on the client authentication and AUTOMOUNT works great!!
turn on TLS and I get

gdm-binary[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds)

gdmgreeter[2393]: nss_ldap: reconnecting to LDAP server (sleeping * seconds)

I have entries for fdstest, home, & client in the /etc/hosts

I have entries in the /etc/openldap/ldap.conf for URI, BASE, HOST, TLS_CACERTDIR, and TLS_RQCERT on the and

have copies of the cert on the client and home (did diff on them to verify they are the same JUST in case they were bad or something) is able to authenticate with TLS but client is not able too

any thoughts on troubleshooting to solve this issue?

I am able to ping via FQDN (from client) home & fdstest
I am able to ssh VIA fqdn (from client) home & fdstest

I will continue to post what I find

Last edited by robert.forster; 04-01-2008 at 10:37 AM.
Old 04-01-2008, 03:21 PM   #7
LQ Newbie
Registered: Oct 2007
Location: Newport News, VA
Distribution: Solaris, Redhat, FC5.6.7.8
Posts: 11

Rep: Reputation: 2
here is a cut and paste (modified for public viewing) /var/log/dirsrv/slapd-instance/access
[01/Apr/2008:16:13:15 -0400] conn=59 op=1 fd=64 closed - U1
[01/Apr/2008:16:14:19 -0400] conn=60 fd=64 slot=64 connection from to
[01/Apr/2008:16:14:19 -0400] conn=60 op=0 EXT oid="" name="startTLS"
[01/Apr/2008:16:14:19 -0400] conn=60 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[01/Apr/2008:16:14:19 -0400] conn=60 SSL 256-bit AES
[01/Apr/2008:16:14:19 -0400] conn=60 op=1 UNBIND
[01/Apr/2008:16:14:19 -0400] conn=60 op=1 fd=64 closed - U1
[01/Apr/2008:16:14:19 -0400] conn=61 fd=65 slot=65 connection from to
[01/Apr/2008:16:14:19 -0400] conn=61 op=0 EXT oid="" name="startTLS"
[01/Apr/2008:16:14:19 -0400] conn=61 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[01/Apr/2008:16:14:19 -0400] conn=61 SSL 256-bit AES
[01/Apr/2008:15:58:51 -0400] - Fedora-Directory/1.1.0 B2008.03.27 starting up
[01/Apr/2008:15:58:52 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests
[01/Apr/2008:15:58:52 -0400] - Listening on All Interfaces port 636 for LDAPS requests

It takes long long period of time before the computer boots then it still wont authenticate a user

Last edited by robert.forster; 04-01-2008 at 03:35 PM.
Old 04-07-2008, 01:19 AM   #8
LQ Newbie
Registered: May 2007
Location: Bucharest, Romania
Distribution: Debian
Posts: 12

Rep: Reputation: 0

I have the same problem, please tell me if you find a solution to it.

Old 04-08-2008, 06:32 AM   #9
LQ Newbie
Registered: Oct 2007
Location: Newport News, VA
Distribution: Solaris, Redhat, FC5.6.7.8
Posts: 11

Rep: Reputation: 2
I am sorry I did not post my solution. Sometimes I will have so many threads going in different areas I loose track.

solutions I have found for several different issues. please excuse and check spelling, typos and so forth, because I am not a typist LOL

in /etc/openldap/ldap.conf you will need to verify
uri ldap// **ldap servers IP address
base dc=examplehost, dc=exampledomain, dc=edu
TLS_CACERTDIR /etc/openldap/cacerts/ **verify this is the path to the cacert
TLS_REQCERT allow ***this is something you will more than likely need to add


/etc/ldap.conf same here verify info is here too
base dc=examplehost, dc=exampledomain, dc=edu

*****this is the one that got me**********
#OpenLDAP SSL options
#Require and verify server certificate (yes/no)
#Default is to use libldap's default behavior, which can be configured in
#/etc/openldap/ldap.conf using the TLS_REQCERT setting. the default for
#OpenLDAP 2.0 and earlier is"no", for 2.1 and later is "yes"
tls_checkpeer no *must uncomment and change to no for as your can see above

uri ldap:// *the IP address for your ldap server
sssl start_tls *verify this it is suppose to change when you change system-config-authentication
tls_cacertdir /etc/openldap/cacerts *the path to the cacert
pam passwords md5

these are the some of the things I look for in troubleshooting ldap issues for me

usually what I do is ssh in two terminal windows to the ldap server (from the client pc that is logged in local account) as root
tail -f /var/log/messages in one terminal
tail -f /var/dirsrv/slapd-*instance*/access in the other terminal
then I su - *username*
and see what happens in the log files

hope that didnt sound to newbie LOL

now if there are other things going on let me know...I might have run accross it and if I didnt I probably will in time

Last edited by robert.forster; 04-08-2008 at 06:33 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem wih authentication LDAP zoltrix Red Hat 4 10-28-2007 01:51 PM
Open LDAP Authentication problem Rajesh_Amma Linux - Newbie 1 04-20-2006 06:59 PM
ldap authentication problem anjani.78 Linux - Software 7 12-23-2005 11:00 AM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 03:49 PM
ldap authentication problem fitz9948 Linux - Networking 0 10-26-2004 02:44 PM

All times are GMT -5. The time now is 07:51 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration