pam_ldap
Craig White
craigwhite at azapple.com
Wed Apr 6 06:02:04 UTC 2005
On Tue, 2005-04-05 at 10:19 -0500, Thomas Cameron wrote:
> On Tue, 2005-04-05 at 10:30 -0400, Jon Thompson wrote:
> > > Ok: I have a RHEL 3.0 box and a Fedora Core 3. I am using pam_ldap
> > > for system authentication. They have the exact same configuration
> > > files and parameters. I copied the files from the working box to the
> > > malfunctioning system. I can execute getent passwd and see all of the
> > > user names that are available through ldap. However, when I try and
> > > login it fails. When I try and su to a vlaid user I get an 'incorrect
> > > password' error. I have tcpdumped the traffic and watched the logs on
> > > teh ldap server, the system is connecting and there has been no
> > > failure due to acls. However, when I run debug withe the pam module I
> > > get a pam_ldap: simple bind failure. Has anyone else come across
> > > anything like this?
> > >
> > > Thanks,
> > >
> > > Jon
> >
> > Yes, I am fighting an LDAP issue right now with RHEL 3. Can you give a
> > little more info? What LDAP server are you trying to authenticate against?
> >
> > Openldap 2.2.6
> >
> >
> > Also, what version of nss_ldap are you using?
> >
> > RHEL 3 nss_ldap 207-11
> > Fedora nss_ldap 220-3
> >
> >
> > The interesting thing is that it works without issue when I am not
> > using SSL. It will retrieve user inforamtion and authenticate against
> > LDAP while not utilizing SSL. Whenever, I enable SSL the password
> > authentication portion dies while the getent still works.
>
> Be very careful - I tried to use the FC nss_ldap and was told by RH paid
> support that it was not compatible and could not be made compatible with
> RHEL 3.
>
> We've been fighting this issue with RHEL since January 31st and we just
> came to some sort of conclusion yesterday.
----
1 - are you sure you are using SSL and not TLS ?
2 - logs? suggest that you have a sufficient log level (256 is good but
I don't think that handles ssl routines) also, a local4 entry in
syslog.conf can direct openldap logs to a separate file.
Craig
More information about the users
mailing list