On Wednesday 01 September 2010 14:08:51 James Pifer wrote:
On Wed, 2010-09-01 at 10:12 +0200, Ralf Haferkamp wrote:
Hi James,
On Tuesday 31 August 2010 21:18:15 James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into?
getent passwd <your-user-id>
No, getent doesn't work. The user doesn't need to exist in the local passwd does it? Yes, it does not need to exist in /etc/passwd. But you have to setup your system so that it resolves the users from LDAP then. I.e. you have to configure nss_ldap. Setting up pam_ldap is not enough. Please check you /etc/nsswitch.conf and enable LDAP lookups there, if you haven't already.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org