Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 08-23-2005, 12:30 PM   #1
LQ Newbie
Registered: Aug 2005
Location: Sunny So Cal
Posts: 1

Rep: Reputation: 0
Why can't my user authenticate from RH Linux to Sun ONE DS using LDAP?

I apologize for being a complete moron, but I have spent 3 days on this and it still doesn't work.
I set up a Sun ONE Directory Server 5.2. It has one user, Troy, and is running on my Solaris 10 machine. Using Telnet, Troy can login just fine and be authenticated. Additonally, from my other Solaris machine, Troy can log in just fine. Setting up the LDAP client in Solaris was fairly easy.

On myRH 4 AS machine, I have two users locally, root and sqa. I want Troy to be able to log in using LDAP authentication, but when I try to log in from the Linux machine, I get nowhere. The login dialog just gives me an error message saying the user or password is invalid. If I try to log in as sqa now, I get "authentication failed" which means that only root can log on to the Linux machine. The /var/log/messages contains:

9:27:43 redhat4asclean gdm(pam_unix)[2905]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Aug 23 09:27:43 redhat4asclean gdm-binary[2905]: pam_ldap: error trying to bind (No such object)
Aug 23 09:27:46 redhat4asclean gdm-binary[2905]: Couldn't authenticate user
Aug 23 09:27:56 redhat4asclean gdm(pam_unix)[2905]: check pass; user unknown
Aug 23 09:27:56 redhat4asclean gdm(pam_unix)[2905]: authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Aug 23 09:27:56 redhat4asclean gdm-binary[2905]: pam_ldap: error trying to bind (No such object)
Aug 23 09:28:00 redhat4asclean gdm-binary[2905]: Couldn't authenticate user
Aug 23 09:28:06 redhat4asclean gdm[2905]: pam_ldap: error trying to bind (No such object)
Aug 23 09:28:06 redhat4asclean gdm[2905]: Couldn't set acct. mgmt for sqa
Aug 23 09:28:13 redhat4asclean gdm(pam_unix)[2905]: session opened for user root by (uid=0)
Aug 23 09:28:14 redhat4asclean gconfd (root-3113): starting (version 2.8.1), pid 3113 user 'root'

The first one, "no such object," is Troy (he exists in Sun ONE DS only). The second one is sqa (he is local Linux machine user). The one that finally works is root.

I have modified many .conf files, to no avail! Is there some basic setting that I just don't have set properly? Here are contents of other files:

/etc/ldap.conf is trying to bind to the LDAP server with name of the default Sun user. Was I supposed to use that proxy agent guy instead? I'm confused here:

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Directory Manager,dc=mydomain,dc=com

# The credentials to bind with.
# Optional: default is no credential.
bindpw thepassword

What is this for?:
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount

I am using "crypt" in Solaris for the unix authentication. Am I supposed to uncomment this line:
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

As is obvious, I am incredibly confused by all the different user and binding and such (There is Directory Manager in Sun, and some posixAccount user, whose purpose I have no idea about). Hopefully, someone can help me here! Thanks in advance for any help!

Old 08-24-2005, 11:53 PM   #2
Registered: Oct 2003
Posts: 568

Rep: Reputation: 30
Alright, real quick.
You are unable to bind to the LDAP server. That is the PAM error. Now, I'm not sure if "Directory Manager" is just what you stuck in there because this is a public forum, or if that actually is your DN. If it is the DN, try Directory\ Manager (use the slash)

I assume that you have PAM setup to use the PADL nss_ldap module, and that you have configured NIS?

One quick thing that you can do, is use the command getent passwd (or group, or shadow). This will show you all of the users, groups, or shadow entries that PAM has access to, via local files, or LDAP. Great way to test after config changes without logging in/out.

The other thing that you can do, is configure not just /etc/ldap.conf, but also /etc/openldap/ldap.conf. /etc/openldap/ldap.conf is the file that is used by the openldap suite of tools, such as ldapsearch. Try running an ldapsearch against your machine, and see what you come up with.

The other question that you had, is what is the pam_filter object_class=POSIXAccount entry?
When you do an LDAP query (you'll figure this out by using ldapsearch ) - one of the parameters that you can search by, is an object class. This will return all of the entries of a given type from that LDAP server, provided it is a valid class in the schema.
In this case, it is telling the LDAP that all PAM cares about is the username (POSIXAccount) entries in the schema, so when you query for a user - look in all of the POSIXAccount entries.

The password encryption setting tells LDAP whether or not to use the standard password hashing used with /etc/shadow on the LDAP passwords, if you are configured to use LDAP for authentication as well. If you didn't create the passwords using the hash, or you aren't using LDAP for authentication - don't worry about this one.

Try a couple of these things, and let me know what happens.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Authenticate from a LDAP SuperSerg Linux - Security 2 12-20-2004 11:16 AM
Cant authenticate to LDAP domain with Redhat9 shaughto Linux - Networking 1 07-01-2004 02:49 PM
PopTop (pptpd) server: authenticate against LDAP or User DB? aa_tango Linux - Networking 0 05-26-2004 05:50 PM
LDAP to authenticate Linux w/eDir mttjbs Linux - Newbie 0 01-15-2004 10:15 AM
Samba and LDAP in Linux to authenticate on Windows 2000 PDC Linh Linux - Networking 2 05-09-2003 07:24 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration