Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 01-21-2009, 01:43 PM   #1
LQ Newbie
Registered: Jan 2009
Posts: 20

Rep: Reputation: Disabled
pam ldap authentication

I've been reading everything I can find on how to get this working with no luck. I am trying to get pam authentication to use ldap and with su and ssh the following errors are logged to /var/log/messages:

Jan 21 13:30:29 sshd[9562]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Jan 21 13:31:10 su: pam_ldap: ldap_simple_bind Can't contact LDAP server

If I do an ldapsearch from this same machine it works:

ldapsearch -x -b "dc=bar,dc=com" cn=brandon

I'm not clear on if /etc/pam_ldap.conf needs to exist or if /etc/ldap.conf is sufficient for pam. This is on a

# cat /etc/fedora-release
Fedora Core release 5 (Bordeaux)

machine. Thanks for any help.

Old 01-21-2009, 04:54 PM   #2
Senior Member
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 164Reputation: 164
Originally Posted by View Post
I've been reading everything...<SNIP>...Thanks for any help. Brandon
This isn't a direct help since it's debian and not fedora, but I do know all the steps are included and that was the problem I ran into when I was attempting to implement this. YMMV but this DOES include everything necessary to get ldap pam and libnss stuff to work if you have the right packages installed.

Replace /etc/ldap/slapd.conf with the following:


include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/misc.schema

pidfile         /var/run/slapd/
argsfile        /var/run/slapd/slapd.args
loglevel        0
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
checkpoint 512 30

database        bdb
suffix          “dc=fakedom,dc=dom”
rootdn          “cn=admin,dc=fakedom,dc=dom”
rootpw          (run slappasswd and paste output here)
directory       “/var/lib/ldap”
lastmod         on

access to attrs=userPassword,shadowLastChange
by dn=”cn=admin,dc=fakedom,dc=dom” write
by anonymous auth
by self write
by * none

access to *
by dn=”cn=admin,dc=fakedom,dc=dom” write
by * read

Replace /etc/nsswitch.conf with the following:

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference’ and `info’ packages installed, try:
# `info libc “Name Service Switch”‘ for information about this file.

passwd:         compat ldap
group:          compat
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Replace /etc/libnss-ldap.conf with the following:


base dc=fakedom,dc=dom
uri ldap://
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom

Replace  /etc/pam_ldap.conf with the following:


base dc=fakedom,dc=dom
uri ldap://
ldap_version 3
rootbinddn cn=admin,dc=fakedom,dc=dom
pam_password exop

Replace /etc/ldap/ldap.conf with the following:


BASE    dc=fakedome, dc=dom
URI     ldap://

Create a base.ldif file in /tmp to import into the directory to test against:


dn: dc=fakedom,dc=dom
objectClass: top
objectClass: dcObject
objectClass: organization
o: fakedom.dom
dc: fakedom

dn: cn=admin,dc=fakedom,dc=dom
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: (Paste output from slappasswd)

dn: ou=People,dc=fakedom,dc=dom
ou: People
objectClass: organizationalUnit
objectClass: top

dn: uid=testy,ou=People,dc=fakedom,dc=dom
uid: testy
cn: testy
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testy
gecos: Testy,,,,
userPassword: (Paste output from slappasswd)


#/etc/init.d/slapd restart

#ldapadd -x -W -D ‘cn=admin,dc=fakedom,dc=dom’ -f /tmp/base.ldif  (enter password when prompted)

# /etc/init.d/slapd restart

# getent passwd | grep testy (should return testy’s entry)

# /etc/init.d/openbsd-inetd start

# telnet localhost and use testy’s login credentials, if it works you’re set... if not reread and try again.
Old 01-22-2009, 07:58 AM   #3
LQ Newbie
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: Disabled
Thanks for the reply. I'll give your suggestions a try.

Something I failed to mention which is probably very relevant is that I can't get local accounts in /etc/passwd to work either. Even with local accounts, I get the same error in /var/log/messages about not being to contact the LDAP server. Maybe this means something more fundamental is wrong.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM LDAP authentication password policy questions codeape Linux - Security 0 08-26-2008 02:10 AM
vsftpd using Ldap+pam authentication issue PhillipHuang Linux - Software 1 09-26-2006 10:43 PM
pam ldap limit authentication hassan2 SUSE / openSUSE 0 08-01-2005 06:03 PM
pam and ldap authentication problem abrb220 Linux - Networking 2 07-31-2005 03:49 PM
Squid PAM authentication and LDAP redmat Linux - Newbie 1 09-03-2004 07:22 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:19 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration