pam_ldap

Craig White craigwhite at azapple.com
Wed Apr 6 06:02:04 UTC 2005 

On Tue, 2005-04-05 at 10:19 -0500, Thomas Cameron wrote:
> On Tue, 2005-04-05 at 10:30 -0400, Jon Thompson wrote:
> > > Ok:  I have a RHEL 3.0 box and a Fedora Core 3.  I am using pam_ldap
> > > for system authentication.  They have the exact same configuration
> > > files and parameters.  I copied the files from the working box to the
> > > malfunctioning system.  I can execute getent passwd and see all of the
> > > user names that are available through ldap.  However, when I try and
> > > login it fails.  When I try and su to a vlaid user I get an 'incorrect
> > > password' error.  I have tcpdumped the traffic and watched the logs on
> > > teh ldap server, the system is connecting and there has been no
> > > failure due to acls.  However, when I run debug withe the pam module I
> > > get a pam_ldap: simple bind failure.  Has anyone else come across
> > > anything like this?
> > >
> > > Thanks,
> > >
> > > Jon
> > 
> > Yes, I am fighting an LDAP issue right now with RHEL 3.  Can you give a
> > little more info?  What LDAP server are you trying to authenticate against?
> > 
> > Openldap 2.2.6
> > 
> > 
> > Also, what version of nss_ldap are you using?
> > 
> > RHEL 3 nss_ldap 207-11
> > Fedora nss_ldap 220-3
> > 
> > 
> > The interesting thing is that it works without issue when I am not
> > using SSL.  It will retrieve user inforamtion and authenticate against
> > LDAP while not utilizing SSL. Whenever, I enable SSL the password
> > authentication portion dies while the getent still works.
> 
> Be very careful - I tried to use the FC nss_ldap and was told by RH paid
> support that it was not compatible and could not be made compatible with
> RHEL 3.
> 
> We've been fighting this issue with RHEL since January 31st and we just
> came to some sort of conclusion yesterday.
----
1 - are you sure you are using SSL and not TLS ?

2 - logs? suggest that you have a sufficient log level (256 is good but
I don't think that handles ssl routines) also, a local4 entry in
syslog.conf can direct openldap logs to a separate file.

Craig

More information about the users mailing list