Re: SLES9 and pam_ldap (LDAP bind instead of search request)

Thanks, Ralf.

You asked, How do you come to the conclusion that your current setup doesn't use bind?
My answer: Not sure but this is what the LDAP server log displays:

[2007-12-04 12:29:25,191] conn=3095 fd=0 slot=0 connection from 10.0.42.17 to 10.0.42.17
[2007-12-04 12:29:25,198] conn=3095 op=0 SRCH base="cn=schema" scope=0 filter="(cn=schema)"
[2007-12-04 12:29:25,400] conn=3095 op=0 RESULT err=0 tag=0 nentries=1 etime=202
[2007-12-04 12:29:25,400] conn=3095 op=1 UNBIND
[2007-12-04 12:29:25,403] conn=3095 op=1 fd=0 closed - U1
[2007-12-04 12:30:11,336] conn=3096 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:11,339] conn=3096 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:11,340] conn=3096 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:11,381] conn=3096 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=poc))"
[2007-12-04 12:30:11,413] conn=3096 op=1 RESULT err=0 tag=0 nentries=0 etime=33
[2007-12-04 12:30:11,453] conn=3096 op=2 UNBIND
[2007-12-04 12:30:11,453] conn=3096 op=2 fd=0 closed - U1
[2007-12-04 12:30:17,092] conn=3097 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:17,094] conn=3097 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:17,095] conn=3097 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:17,135] conn=3097 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:17,140] conn=3097 op=1 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-04 12:30:23,356] conn=3097 op=2 BIND dn="" method=0 version=3
[2007-12-04 12:30:23,356] conn=3097 op=2 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:23,397] conn=3097 op=3 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:23,401] conn=3097 op=3 RESULT err=0 tag=0 nentries=0 etime=5
[2007-12-04 12:30:26,742] conn=3098 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
[2007-12-04 12:30:26,745] conn=3098 op=0 BIND dn="" method=0 version=3
[2007-12-04 12:30:26,746] conn=3098 op=0 RESULT err=0 tag=0 nentries=0 etime=0
[2007-12-04 12:30:26,786] conn=3098 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(&(objectclass=posixAccount)(uid=xjc864))"
[2007-12-04 12:30:26,790] conn=3098 op=1 RESULT err=0 tag=0 nentries=0 etime=4

There is nothing in the user's BIND; all of the BINDs are for dn="", so I'm wondering if the pam_ldap is able to do user binding instead of password searching.

Here is my /etc/pam.d/sshd file:
##############################################
# /etc/pam.d/sshd
##############################################
#%PAM-1.0
auth          required       pam_unix2.so    # set_secrpc
auth          required       pam_nologin.so
auth          required       pam_env.so
account     required       pam_unix2.so
account     required       pam_nologin.so
password   required       pam_pwcheck.so
password   required       pam_unix2.so    use_first_pass use_authtok
session      required       pam_unix2.so    none # trace or debug
session      required       pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname
auth          sufficient      pam_ldap.so
account     sufficient      pam_ldap.so
password   required        pam_ldap.so
session      required        pam_mkhomedir.so skel=/etc/skel umask=0022

Any suggestions would be greatly appreciated,
BJP