Mailinglist Archive: opensuse (1126 mails)
| < Previous | Next > |
Re: [opensuse] ldap authentication to Novell eDirectory
- From: Ralf Haferkamp <rhafer@xxxxxxx>
- Date: Wed, 1 Sep 2010 14:33:36 +0200
- Message-id: <201009011433.36477.rhafer@xxxxxxx>
On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
system so that it resolves the users from LDAP then. I.e. you have to
configure nss_ldap. Setting up pam_ldap is not enough. Please check you
/etc/nsswitch.conf and enable LDAP lookups there, if you haven't already.
--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
On Wed, 2010-09-01 at 10:12 +0200, Ralf Haferkamp wrote:Yes, it does not need to exist in /etc/passwd. But you have to setup your
Hi James,
On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm
actually doing it on SLES11, but hoping someone here can give me
a hand. I'm getting an error when I try to ssh as a user that
only exists in ldap, not locally. I've found a lot of references
to this error, but have not found a solution that works for my
situation.
First, the error I see in the log is:
pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root"
(Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser
from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three
logins using wireshark. The authentication value for the simple
bind matches for ldapsearch and ldapbrowser, but is different
coming from pam_ldap. So it seems like pam_ldap is sending the
password different, maybe it's encrypting or something, don't
know.
No. pam_ldap is not touching the password sent in the LDAP Bind
Request. But sshd does in some situation overwrite the password
that it sends to the PAM stack. IIRC it sets it to a value
containing the string "INCORRECT" (plus some addtional
non-printable chars). Is that what you see in your LDAP capture? If
yes then something is still wrong with either your
nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one
situation when sshd does this overwriting is when it is not able to
resolve the username correctly. Does the following work on the
server you are trying to log into?
getent passwd <your-user-id>
No, getent doesn't work. The user doesn't need to exist in the local
passwd does it?
system so that it resolves the users from LDAP then. I.e. you have to
configure nss_ldap. Setting up pam_ldap is not enough. Please check you
/etc/nsswitch.conf and enable LDAP lookups there, if you haven't already.
--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |