I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation.
First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct.
Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know. No. pam_ldap is not touching the password sent in the LDAP Bind Request. But sshd does in some situation overwrite the password that it sends to
Hi James, On Tuesday 31 August 2010 21:18:15 James Pifer wrote: the PAM stack. IIRC it sets it to a value containing the string "INCORRECT" (plus some addtional non-printable chars). Is that what you see in your LDAP capture? If yes then something is still wrong with either your nss_ldap/pam_ldap configuration or with your sshd config. AFAIK one situation when sshd does this overwriting is when it is not able to resolve the username correctly. Does the following work on the server you are trying to log into? getent passwd <your-user-id>
In /etc/ldap.conf I've set:
host 192.168.100.21 base o=root bind_policy soft pam_lookup_policy yes pam_password nds nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis
I also tried pam_password clear.
Anyone have any suggestions? Maybe I'm just overlooking something very basic.
The complete output from the log is: Aug 31 13:48:32 sles11 sshd[19756]: Invalid user myid from 192.168.100.24 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This line indicates, that sshd could not correctly resolve the user "myid". Please check your nss_ldap setup.
Aug 31 13:48:39 sles11 sshd[19761]: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials) [..]
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org