Hi am trying to validate a user against a ldap directory with a small pam
enabled application.

If I use "pam_unix.so" in the pam config file for the app
the users authenticates fine.On the other hand if I use
"pam_ldap.so" the authentication fails.

The pam log file records :

pam_ldap: error trying to bind as user "uid=abrb220,ou=People,dc=ldap268"
(Insufficient access)

I think I have set up the ldap directory correctly but are really unsure
about how to put the passwords in.
Here is a the entry of a user in the ldif file used to add it.

----------------------------------------------------------------

dn: uid=abrb220,ou=People,dc=ldap268
uid: abrb220
cn: Rodney
sn: Rodney
mail: abrb220@ldap268.com
mailRoutingAddress: abrb220@ldap268.com
mailHost: ldap268.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/abrb220
gecos: Rodney

---------------------------------------------------------------


The other config files :


/etc/ldap.conf :

------------------------------------------------------------------
# Your LDAP server. Must be resolvable without using LDAP.

# The distinguished name of the search base.
HOST 127.0.0.1
BASE dc=ldap268

pam_login_attribute uid
ldap_version 3
rootbinddn cn=admin,dc=ldap268

------------------------------------------------------------------
/etc/openldap/slapd.conf

------------------------------------------------------------------

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema

database ldbm
suffix "dc=ldap268"
rootdn "cn=admin, dc=ldap268"
rootpw {MD5}X03MO1qnZdYdgyfeuILPmQ==
#rootpw secret
directory /var/lib/ldap
loglevel 296
password-hash {md5}

access to * by *
------------------------------------------------------------------

The apps pam file in /etc/pam.d :

------------------------------------------------------------------
#%PAM-1.0
auth required pam_warn.so
auth required pam_ldap.so

------------------------------------------------------------------


thanks

Hi,

first try the following command to verify you can potentially access your server: ldapsearch -x -b "dc=ldap268" "(objectclass=*)"
If you see some output, i.e. your directory-objects the client to server connection is ok. What concerns me more is you pam.conf file. Does it really look like this or are that only the first two lines? You have to edit it in any case if you want to login:
* forget pam.conf, there hasn't to be anything in it
* your pam_ldap.conf should at least consist of these lines:

host [YOUR SERVERS IP]
base dc=ldap268
uri ldap://[YOUR SERVERS IP]/
ldap_version 3
scope sub
timelimit 30
pam_login_attribute uid
pam_member_attribute memberUid
pam_password exop
sslno

more information about that syntax at www.padl.com

To successfully login edit the files in /etc/pam.d (example passwd) like this

password sufficient pam_ldap.so obscure min=4
password required pam_unix.so nullok obscure min=4

you should now be able to login at the console.

If you don't know how to create passwords by hand:
perl -e 'print crypt('YOUR_PASS','TWO_CHARACTER_SALT'),"\n"'

cut and paste it like {crypt}YOUR_PASS_HASH into your ldif.

Just wondering, I am having the same problem authenticating with Fedora Directory Server.