|
»
»
»
« Return to Thread: Need help determining cause of login problem
Re: Need help determining cause of login problem
by Tony Earnshaw-4
::
Rate this Message:
Jürgen Starek skrev, on 16-02-2008 10:25:
> I am having trouble with authenticating users listed in an LDAP directory.
>
> On my network, I set up an LDAP server and a client that tries to
> authenticate using the server. Both machines run Debian Etch.
>
> Client and Server setup are done according to tutorials on the net, and
> where they contradicted themselves, O'Reilly's "LDAP System
> Administration".
>
> I have populated the database with a "users" group and a sample
> posixAccount. The server works fine: I can connect to it from the client
> using GQ and a simple bind for the rootdn. Also, calling ldapsearch -x
> on the
> client gives me the complete list of entries in the server's database.
>
> A "getent passwd" on the client shows my sample account on the LDAP
> directory
> as if it were in the local passwd file, just as it's supposed to do.
>
> However, I can't log in. My nsswitch.conf uses LDAP as a password data
> source, and I see network traffic at each login attempt. Passwords are
> stored as an MD5 hash in the LDAP database, but trying CRYPT or PLAIN
> did not change anything. As mentioned above, binding to the server using
> rootdn works fine. Only binding as a user does not seem to work...
>
> Here's a log extract from /var/log/auth.log:
>
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: (pam_unix) authentication failure; logname= uid=0
> euid=0
> tty=pts/0 ruser= rhost= user=testuser
> testbox login[3850]: FAILED LOGIN (1) auf "pts/0" FOR `testuser',
> Authentication failure
>
>
> Can anyone help me diagnose this problem further? Any help would be
> appreciated.
From what you describe above it'd seem you've got most simple bind
stuff working ok for OpenLDAP, as well as name service switch stuff for
nss_ldap. I'm a Red Hat person, not Debian; be that as it may, you need
a configuration file for pam_ldap. Googling tells me that for Debian
this should be /etc/pam_ldap.conf.
This in your log: "ldap_search_s No such object" (aka error 32) means it
can't find the directory suffix c.q. search base, which should be
configured (with a lot more things) in said pam_ldap.conf.
Again Googling, here's how Michael Hammer does it:
http://tugll.tugraz.at/88684/weblog/3682.html
Best,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
> I am having trouble with authenticating users listed in an LDAP directory.
>
> On my network, I set up an LDAP server and a client that tries to
> authenticate using the server. Both machines run Debian Etch.
>
> Client and Server setup are done according to tutorials on the net, and
> where they contradicted themselves, O'Reilly's "LDAP System
> Administration".
>
> I have populated the database with a "users" group and a sample
> posixAccount. The server works fine: I can connect to it from the client
> using GQ and a simple bind for the rootdn. Also, calling ldapsearch -x
> on the
> client gives me the complete list of entries in the server's database.
>
> A "getent passwd" on the client shows my sample account on the LDAP
> directory
> as if it were in the local passwd file, just as it's supposed to do.
>
> However, I can't log in. My nsswitch.conf uses LDAP as a password data
> source, and I see network traffic at each login attempt. Passwords are
> stored as an MD5 hash in the LDAP database, but trying CRYPT or PLAIN
> did not change anything. As mentioned above, binding to the server using
> rootdn works fine. Only binding as a user does not seem to work...
>
> Here's a log extract from /var/log/auth.log:
>
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: pam_ldap: ldap_search_s No such object
> testbox login[3850]: (pam_unix) authentication failure; logname= uid=0
> euid=0
> tty=pts/0 ruser= rhost= user=testuser
> testbox login[3850]: FAILED LOGIN (1) auf "pts/0" FOR `testuser',
> Authentication failure
>
>
> Can anyone help me diagnose this problem further? Any help would be
> appreciated.
From what you describe above it'd seem you've got most simple bind
stuff working ok for OpenLDAP, as well as name service switch stuff for
nss_ldap. I'm a Red Hat person, not Debian; be that as it may, you need
a configuration file for pam_ldap. Googling tells me that for Debian
this should be /etc/pam_ldap.conf.
This in your log: "ldap_search_s No such object" (aka error 32) means it
can't find the directory suffix c.q. search base, which should be
configured (with a lot more things) in said pam_ldap.conf.
Again Googling, here's how Michael Hammer does it:
http://tugll.tugraz.at/88684/weblog/3682.html
Best,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
« Return to Thread: Need help determining cause of login problem
| Free Forum Powered by Nabble | Forum Help |