On Tue, 2010-08-31 at 16:04 -0400, Adam Tauno Williams wrote:
On Tue, 2010-08-31 at 15:18 -0400, James Pifer wrote:
I'm trying to setup ldap authentication to eDirectory. I'm actually doing it on SLES11, but hoping someone here can give me a hand. I'm getting an error when I try to ssh as a user that only exists in ldap, not locally. I've found a lot of references to this error, but have not found a solution that works for my situation. First, the error I see in the log is: pam_ldap: error trying to bind as user "cn=myid,ou=my ou,o=root" (Invalid credentials)
Is this an DN you've specified anywhere?
No, it's doing an anonymous bind. I'm authenticating as myid with ssh, but it successfully finds the correct DN for myid. It then tries a simple bind to ldap with that DN, but looks like it's hosing the password.
I can successfully bind to ldap using ldapsearch and ldapbrowser from sles11, so I know my credentials are correct. Connection to ldap is not encrypted so I've captured all three logins using wireshark. The authentication value for the simple bind matches for ldapsearch and ldapbrowser, but is different coming from pam_ldap. So it seems like pam_ldap is sending the password different, maybe it's encrypting or something, don't know.
PAM doesn't typically bind as "the user" but looks up information using some generic credentials. Is NSS working?
It's doing an anonymous bind, which appears successful.
Specified in /etc/ldap.conf (for example): --------------------------------------------------- binddn uid=nss,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US bindpw *************
In /etc/ldap.conf I've set: host 192.168.100.21 base o=root
"o=root" Really?
No, private information posted has been changed, such as username, OU's and O. Thanks, James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org