Debian pam_ldap
Hi
Read the bold for a quick view. I asked this question also over at the Networking forum but didn't get a reaply. I googled all over, read a million howtos, and forum posts - I am out of ideas. Been on this now for over 3 days hope someone will be kind enough to help. pam_ldap was working before i installed postfix,cyrus & sasl now it doesn't anymore. I have added a test file with uid and gid of the LDAP-User to a dir but it doesn't resolve, and su LDAP-User doesn't work either. In syslog I can see that ldap gets searched when I do 'ls -l' on the folder with the test file but nothing gets returned. "finger LDAP-User" & "getent passwd|grep LDAP-User" returnes the user data via nss_ldap just fine. (The username has been changed it isn't LDAP-User) (Running on Debian Sarge - new install) Trying a ssh login gives me following error: sshd[5077]: Illegal user LDAP-User from ::ffff:70.118.xxx.xxx sshd[5077]: (pam_unix) check pass; user unknown sshd[5077]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.118.70.cfl.res.rr.com sshd[5077]: error: PAM: Authentication service cannot retrieve authentication info. for illegal user LDAP-User from xxx.xxx.118.70.cfl.res.rr.com sshd[5077]: Failed keyboard-interactive/pam for illegal user LDAP-User from ::ffff:70.118.xxx.xxx port 34721 ssh2 As you can see according to auth.log it doesn't even seam to try pam_ldap but when I look in to syslog I can see slapd being searched for the user. My setup is real basic at this point: #/etc/pam.d/common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure try_first_pass # /etc/pam.d/common-account account sufficient pam_ldap.so account required pam_unix.so try_first_pass # /etc/pam.d/common-password password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 #/etc/pam_ldap.conf host 127.0.0.1 base dc=pzzazz,dc=com ldap_version 3 #I have added following to avoit LDAP acl conflicts binddn cn=admin,dc=pzzazz,dc=com bindpw secretPass rootbinddn cn=admin,dc=pzzazz,dc=com pam_password md5 Thank you for even reading this far. Dennis Kaplan |
I'm wondering if the addition of SASL broke things. slapd supports SASL binds, and maybe it no longer likes the simple binds (username and password) that pam_ldap is using?
What's your slapd.conf look like? And is there any funny-looking output in slapd's logfile? |
I actually figured it out. 4 days on this. Well you know how it is.
I created a new user with phpldapadmin and that one was working. Then I exported and compared the two users ldif files. The difference was that the user which didn't work din't have the objectClass as last entry. So I cut and pasted following from somewhere 3th or 4th place from bottom all the way down to the end and it worked. objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: mailUser objectClass: mailAccount objectClass: amavisAccount objectClass: PureFTPdUser Thank you anyway. Hope one with the same problem finds this before spending 4 days on it. |
All times are GMT -5. The time now is 02:31 PM. |