Mailinglist Archive: opensuse (1126 mails)

< Previous Next >
Re: [opensuse] ldap authentication to Novell eDirectory
  • From: Ralf Haferkamp <rhafer@xxxxxxx>
  • Date: Wed, 1 Sep 2010 10:12:20 +0200
  • Message-id: <201009011012.20761.rhafer@xxxxxxx>
Hi James,

On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually
doing it on SLES11, but hoping someone here can give me a hand. I'm
getting an error when I try to ssh as a user that only exists in ldap,
not locally. I've found a lot of references to this error, but have
not found a solution that works for my situation.

First, the error I see in the log is:
pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root"
(Invalid credentials)

I can successfully bind to ldap using ldapsearch and ldapbrowser from
sles11, so I know my credentials are correct.

Connection to ldap is not encrypted so I've captured all three logins
using wireshark. The authentication value for the simple bind matches
for ldapsearch and ldapbrowser, but is different coming from pam_ldap.
So it seems like pam_ldap is sending the password different, maybe
it's encrypting or something, don't know.
No. pam_ldap is not touching the password sent in the LDAP Bind Request.
But sshd does in some situation overwrite the password that it sends to
the PAM stack. IIRC it sets it to a value containing the string
"INCORRECT" (plus some addtional non-printable chars). Is that what you
see in your LDAP capture? If yes then something is still wrong with
either your nss_ldap/pam_ldap configuration or with your sshd config.
AFAIK one situation when sshd does this overwriting is when it is not
able to resolve the username correctly. Does the following work on the
server you are trying to log into?

getent passwd <your-user-id>

In /etc/ldap.conf I've set:

base o=root
bind_policy soft
pam_lookup_policy yes
pam_password nds
nss_initgroups_ignoreusers root,ldap
nss_schema rfc2307bis

I also tried pam_password clear.

Anyone have any suggestions? Maybe I'm just overlooking something very

The complete output from the log is:
Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from
This line indicates, that sshd could not correctly resolve the user
"myid". Please check your nss_ldap setup.

Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error
trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups