On Tue, 2010-08-31 at 15:18 -0400, James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation. First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
Is this an DN you've specified anywhere?
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct. Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
PAM doesn't typically bind as "the user" but looks up information using some generic credentials. Is NSS working? Specified in /etc/ldap.conf (for example): --------------------------------------------------- binddn uid=nss,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US bindpw *************
In /etc/ldap.conf I've set: host 192.168.100.21 base o=root
"o=root" Really?
bind_policy soft pam_lookup_policy yes pam_password nds nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis
I also tried pam_password clear.
That only has to do with *changing* the passwords. PAM doesn't need to know what crypt's the DSA does/doesn't use in order to authenticate. I assume you'd use "nds" here.
Anyone have any suggestions? Maybe I'm just overlooking something very basic. The complete output from the log is: Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from 192.168.100.24 Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): check pass; user unknown Aug 31 13:48:39 sles11 sshd[19761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: error: PAM: User not known to the underlying authentication module for illegal user myid from 192.168.100.24 Aug 31 13:48:41 sles11 sshd[19756]: Failed keyboard-interactive/pam for invalid user myid from 192.168.100.24 port 38256 ssh2 Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): conversation failed Aug 31 13:50:32 sles11 sshd[19762]: pam_unix(sshd:auth): auth could not identify password for [myid] Aug 31 13:50:32 sles11 sshd[19762]: error: ssh_msg_send: write
-- Adam Tauno Williams <awilliam@whitemice.org> LPIC-1, Novell CLA <http://www.whitemiceconsulting.com> OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org