LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 04-20-2006, 02:49 PM   #1
gruessle
Member
 
Registered: Dec 2003
Location: USA
Distribution: Debian
Posts: 40

Rep: Reputation: 15
Debian pam_ldap


Hi
Read the bold for a quick view.
I asked this question also over at the Networking forum but didn't get a reaply. I googled all over, read a million howtos, and forum posts - I am out of ideas. Been on this now for over 3 days hope someone will be kind enough to help.

pam_ldap was working before i installed postfix,cyrus & sasl now it doesn't anymore.
I have added a test file with uid and gid of the LDAP-User to a dir but it doesn't resolve, and su LDAP-User doesn't work either.
In syslog I can see that ldap gets searched when I do 'ls -l' on the folder with the test file but nothing gets returned.

"finger LDAP-User" & "getent passwd|grep LDAP-User" returnes the user data via nss_ldap just fine.

(The username has been changed it isn't LDAP-User)
(Running on Debian Sarge - new install)

Trying a ssh login gives me following error:
sshd[5077]: Illegal user LDAP-User from ::ffff:70.118.xxx.xxx
sshd[5077]: (pam_unix) check pass; user unknown
sshd[5077]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.118.70.cfl.res.rr.com
sshd[5077]: error: PAM: Authentication service cannot retrieve authentication info. for illegal user LDAP-User from xxx.xxx.118.70.cfl.res.rr.com
sshd[5077]: Failed keyboard-interactive/pam for illegal user LDAP-User from ::ffff:70.118.xxx.xxx port 34721 ssh2

As you can see according to auth.log it doesn't even seam to try pam_ldap but when I look in to syslog I can see slapd being searched for the user.

My setup is real basic at this point:
#/etc/pam.d/common-auth
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure try_first_pass

# /etc/pam.d/common-account
account sufficient pam_ldap.so
account required pam_unix.so try_first_pass

# /etc/pam.d/common-password
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5

#/etc/pam_ldap.conf
host 127.0.0.1
base dc=pzzazz,dc=com
ldap_version 3
#I have added following to avoit LDAP acl conflicts
binddn cn=admin,dc=pzzazz,dc=com
bindpw secretPass
rootbinddn cn=admin,dc=pzzazz,dc=com
pam_password md5

Thank you for even reading this far.

Dennis Kaplan
 
Old 04-20-2006, 06:43 PM   #2
ataraxia
Member
 
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296

Rep: Reputation: 30
I'm wondering if the addition of SASL broke things. slapd supports SASL binds, and maybe it no longer likes the simple binds (username and password) that pam_ldap is using?

What's your slapd.conf look like? And is there any funny-looking output in slapd's logfile?
 
Old 04-20-2006, 07:22 PM   #3
gruessle
Member
 
Registered: Dec 2003
Location: USA
Distribution: Debian
Posts: 40

Original Poster
Rep: Reputation: 15
I actually figured it out. 4 days on this. Well you know how it is.

I created a new user with phpldapadmin and that one was working.
Then I exported and compared the two users ldif files.
The difference was that the user which didn't work din't have the objectClass as last entry.
So I cut and pasted following from somewhere 3th or 4th place from bottom all the way down to the end and it worked.

objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: mailAccount
objectClass: amavisAccount
objectClass: PureFTPdUser

Thank you anyway. Hope one with the same problem finds this before spending 4 days on it.

Last edited by gruessle; 04-20-2006 at 07:23 PM.
 
  


Reply

Tags
ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to install pam_ldap? mel82 Slackware - Installation 1 02-18-2005 02:21 PM
problem with pam_ldap and ssha elias5000 Linux - Software 0 09-20-2004 10:11 AM
need help for pam_ldap!!! ahshin Linux - Networking 0 10-08-2003 08:40 PM
PAM_LDAP and eDirectory Trucker Linux - Networking 2 02-25-2003 03:25 AM
pam_ldap with tls and sasl hardigunawan Linux - Networking 3 05-21-2002 09:29 PM


All times are GMT -5. The time now is 11:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration