[Date Prev][Date Next] [Chronological] [Thread] [Top]

odd pam_ldap configuration issues

To: openldap-software@OpenLDAP.org
Subject: odd pam_ldap configuration issues
From: Stefan Froehlich <ldap@Froehlich.Priv.at>
Date: Wed, 17 Jul 2002 10:41:23 +0200
Content-disposition: inline
User-agent: Mutt/1.3.28i

Hello,

I have setup OpenLDAP, pam_ldap and nss_ldap from source on an
otherwise clean Debian installation. After some hassle (I'm really
new to LDAP) the basics work, I can add and delete entries, search
for them etc.

Next step was pam_ldap - again, after some reading it worked, but
only almost. Whenever I login, I have to enter the password _twice_
until it is accepted. I only realized that this is a problem, when I
wanted to deploy nss_ldap. This simply did not work for me. For a
login, the logfiles tell me the following:

| Jul 17 10:28:49 slapd[18148]: daemon: conn=20 fd=15 connection from IP=10.10.0.6:33807 (IP=0.0.0.0:389) accepted. 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=1 BIND dn="OU=SAMBA,DC=DOMAIN,DC=AT" method=128 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=1 RESULT tag=97 err=0 text= 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=2 SRCH base="ou=People,dc=domain,dc=at" scope=1 filter="(uid=sfroehli)" 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=2 SEARCH RESULT tag=101 err=0 text= 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=3 BIND dn="UID=SFROEHLI,OU=PEOPLE,DC=DOMAIN,DC=AT" method=128 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=3 RESULT tag=97 err=0 text= 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=4 BIND dn="OU=SAMBA,DC=DOMAIN,DC=AT" method=128 
| Jul 17 10:28:58 slapd[18150]: conn=20 op=4 RESULT tag=97 err=0 text= 
| Jul 17 10:28:58 slapd[18148]: daemon: conn=21 fd=16 connection from IP=10.10.0.6:33808 (IP=0.0.0.0:389) accepted. 
| Jul 17 10:28:58 slapd[18150]: conn=21 op=1 UNBIND 
| Jul 17 10:28:58 slapd[18150]: conn=-1 fd=16 closed 
| Jul 17 10:30:24 slapd[18150]: conn=20 op=5 UNBIND 
| Jul 17 10:30:24 slapd[18150]: conn=-1 fd=15 closed 

I waited for 10 seconds after the first password failure to
illustrate what happens until then (i.e. next to nothing, for my
knowledge). The procedure after the second login try looks perfectly
fine to me (so the ldap configuration should be correct?) - but why
not as well at the first try?

Now, if I enable nss_ldap and try to execute a "getent group", I can
see the following:

| Jul 17 10:35:03 slapd[18148]: daemon: conn=27 fd=15 connection from IP=10.10.0.6:33815 (IP=0.0.0.0:389) accepted. 
| Jul 17 10:35:03 slapd[18150]: conn=27 op=1 UNBIND 
| Jul 17 10:35:03 slapd[18150]: conn=-1 fd=15 closed 

Which seems for me to be quite similar to the problem above: one
try, but no success. Unlike during login, no retries are made
here, so there is no result. Exactly the same thing happens (of
course), if I write "group: ldap" in my nsswitch.conf and do an
"ls -l" afterwards.

I tried to increase the log level of slapd, but this gives me
_exhaustive_ results which I am not able to interpret. If you need a
special log level, please tell me. Also, if some of the
configuration files are of special interest for this kind of
problem, please tell.

Ciao,
  Stefan

-- 
Stefan - harmonisch, unverwuestlich in allen Stuermen!
http://www.sloganizer.de/

Follow-Ups:
- Re: odd pam_ldap configuration issues
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: odd pam_ldap configuration issues
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: odd pam_ldap configuration issues
  - From: Geoff Silver <geoff@uslinux.net>

Prev by Date: ACL in a subordinate backend
Next by Date: RE: [Fwd: Cyrus SASL Releases 1.5.28 and 2.1.6]
Index(es):
- Chronological
- Thread