Hi,

I'm trying to set up LDAP server & client operating between two VMs. All seems to have gone OK and ldapsearches work but I still can't ssh into the client machine using a uid defined on the server.

I tried changing the password as follows:

[root@server openldap]# ldappasswd -x -D "cn=root,dc=example,dc=com" -w secret -s newpass "uid=testuser1,ou=People,dc=example,dc=com"
Result: Success (0)
[root@server openldap]#

But when I ssh I get

[root@client ~]# ssh testuser1@server.example.com
testuser1@server.example.com's password:
Permission denied, please try again.
testuser1@server.example.com's password:

I am typing in newpass as the password but as you can see, not getting in.

What else do I need to do other than the ldappasswd?

I restarted the ldap service but no joy there.

Ideas please? Is it something to do with encryption?

I'm guessing that user has no ssh access on the client, and it probably has nothing to do with LDAP at all. Take a look here:https://help.ubuntu.com/9.04/serverg...sh-server.html, you might find something interesting.

Just spotted this: you should realise you are going the wrong way around, I doubt you have setup the machine running the LDAP server to be a client also have you?

Thanks Irishbitte.

It's not ssh that's stopping me - as I'm also trying to login from the console and that fails too.

And yes, I have actually set up the server as a client but I realise that my test was overly complex. Subsequent test to ssh to testuser@client from client still prove unsuccsessful.
However, I have now noticed some error messages in /va/rlog/secure.

It seems the logins are being rejected by PAM! How do I get PAM to interface with LDAP or vice-versa?

the pam_ldap module is what should be the case. depends on your distro! what are you running?

run authconfig or system-config-authentication to use ldap authentication in your client.

Irishbite, I'm running RHEL5.
Hexahost, I did use system-config-authentication to configure both clients.

Actually I managed to get it working now. The breakthrough was finding this link below, ironically while looking for PAM info, but the PAM errors were a red herring, and the key was following the syntax carefully in the LDIF files included in this guy's openldap section:

http://www.openldap.org/lists/openld.../msg00097.html

I had been trying to use Posix parameters in the LDIF to identify my test user but ldapadd had been moaning about schemas which I thought were OK.
I think the key parameter was the following:

objectClass: posixAccount

That seems to allow the gidNumber and uidNumber parms to stick.

The PADL.com website also had some useful migration tools which take users from your passwd file and create LDIFs for you, although I was only setting this up to test so didn't use the tools.

I also think that forgetting the Group construct from my LDIF file probably didn't help either.

I'm glad I can move on now. I think I've learned way more about LDAP than I needed to, and I know I've only just scratched the surface!

Yup, LDAP is incredibly powerful, great tool for managing user data on a website for example. As a basis for a directory server, it's excellent. I struggled with this a couple of years ago setting up an OpenLDAP authentication server. Great fun!