Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 04-20-2006, 01:49 PM   #1
Registered: Dec 2003
Location: USA
Distribution: Debian
Posts: 40

Rep: Reputation: 15
Debian pam_ldap

Read the bold for a quick view.
I asked this question also over at the Networking forum but didn't get a reaply. I googled all over, read a million howtos, and forum posts - I am out of ideas. Been on this now for over 3 days hope someone will be kind enough to help.

pam_ldap was working before i installed postfix,cyrus & sasl now it doesn't anymore.
I have added a test file with uid and gid of the LDAP-User to a dir but it doesn't resolve, and su LDAP-User doesn't work either.
In syslog I can see that ldap gets searched when I do 'ls -l' on the folder with the test file but nothing gets returned.

"finger LDAP-User" & "getent passwd|grep LDAP-User" returnes the user data via nss_ldap just fine.

(The username has been changed it isn't LDAP-User)
(Running on Debian Sarge - new install)

Trying a ssh login gives me following error:
sshd[5077]: Illegal user LDAP-User from
sshd[5077]: (pam_unix) check pass; user unknown
sshd[5077]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
sshd[5077]: error: PAM: Authentication service cannot retrieve authentication info. for illegal user LDAP-User from
sshd[5077]: Failed keyboard-interactive/pam for illegal user LDAP-User from port 34721 ssh2

As you can see according to auth.log it doesn't even seam to try pam_ldap but when I look in to syslog I can see slapd being searched for the user.

My setup is real basic at this point:
auth sufficient
auth required nullok_secure try_first_pass

# /etc/pam.d/common-account
account sufficient
account required try_first_pass

# /etc/pam.d/common-password
password sufficient
password required nullok obscure min=4 max=8 md5

base dc=pzzazz,dc=com
ldap_version 3
#I have added following to avoit LDAP acl conflicts
binddn cn=admin,dc=pzzazz,dc=com
bindpw secretPass
rootbinddn cn=admin,dc=pzzazz,dc=com
pam_password md5

Thank you for even reading this far.

Dennis Kaplan
Old 04-20-2006, 05:43 PM   #2
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296

Rep: Reputation: 30
I'm wondering if the addition of SASL broke things. slapd supports SASL binds, and maybe it no longer likes the simple binds (username and password) that pam_ldap is using?

What's your slapd.conf look like? And is there any funny-looking output in slapd's logfile?
Old 04-20-2006, 06:22 PM   #3
Registered: Dec 2003
Location: USA
Distribution: Debian
Posts: 40

Original Poster
Rep: Reputation: 15
I actually figured it out. 4 days on this. Well you know how it is.

I created a new user with phpldapadmin and that one was working.
Then I exported and compared the two users ldif files.
The difference was that the user which didn't work din't have the objectClass as last entry.
So I cut and pasted following from somewhere 3th or 4th place from bottom all the way down to the end and it worked.

objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: mailAccount
objectClass: amavisAccount
objectClass: PureFTPdUser

Thank you anyway. Hope one with the same problem finds this before spending 4 days on it.

Last edited by gruessle; 04-20-2006 at 06:23 PM.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to install pam_ldap? mel82 Slackware - Installation 1 02-18-2005 01:21 PM
problem with pam_ldap and ssha elias5000 Linux - Software 0 09-20-2004 09:11 AM
need help for pam_ldap!!! ahshin Linux - Networking 0 10-08-2003 07:40 PM
PAM_LDAP and eDirectory Trucker Linux - Networking 2 02-25-2003 02:25 AM
pam_ldap with tls and sasl hardigunawan Linux - Networking 3 05-21-2002 08:29 PM

All times are GMT -5. The time now is 10:46 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration