[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap error

To: openldap-software@OpenLDAP.org
Subject: Re: pam_ldap error
From: Csillag Tamás <cstamas@digitus.itk.ppke.hu>
Date: Fri, 5 Dec 2003 08:13:45 +0100
Content-disposition: inline
In-reply-to: <3FCBB227.6070106@lbl.gov>
References: <3FCB8A22.8090807@lbl.gov> <Pine.GSO.4.30L2.0312011423190.19878-100000@qmail> <20031201200434.GH7414@csthome> <3FCBB227.6070106@lbl.gov>
User-agent: Mutt/1.5.4i

On Mon, Dec 01, 2003 at 01:27:03PM -0800, Jeff Gamsby wrote:
>    Are you running linux? If so, which distribution. I run RedHat 9, so when
>    I want LDAP authentication, I run authconfig, and that sets the correct
>    parameters in /etc/pam.d/sysauth (You do have to edit it after though),
>    then you restart sshd and things work. If you want TLS, you have to put
>    the client certificate path in /usr/local/etc/openldap/ldap.conf or
>    /etc/ldap.conf. Does regular login work with ldap, console login, or
>    telnet?
Huhh, sorry for a late reply.

I use Debian Gnu/Linux Sarge.
I do not like automatic methods.
In most cases you won't know what the automatic method doing,
but sure it works.
At the first time I made several mistakes (no nscd missing
pam_ldap.conf entries etc..)

Now it works correctly (since september).
I found the debugging via 'strace su' *very* effective.

I only tried to tell ideas.

But if you mentioned:
	how do you create certificates?
	I read several articles, but I do not dare to try it,
	because I use it in production....
	So if you have a script for generating keys whatsoever,
	(or RH script ;-) (I will learn howto do from...)


Thanks.
> 
>    Csillag Tamas wrote:
> 
>  Hi,
> 
>  On Mon, Dec 01, 2003 at 02:24:16PM -0500, Asif Iqbal wrote:
>   
> 
>  On Mon, 1 Dec 2003, Jeff Gamsby wrote:
> 
>     
> 
>   Does ldapsearch -x work? If on Linux, how about getent passwd?
>       
> 
>  ldapsearch -x works just fine. genent passwd works fine too
>     
> 
>  pam_ldap is independent from getent passwd (it uses libnss_ldap)
>  and it's config file is: /etc/nsswitch.conf and /etc/{.,ldap}/ldap.conf
>  (the second is debian specific I think)
>  (But it is good to test wheather your database is available)
> 
>  pam_ldap's config file is: /etc/pam_ldap.conf
> 
>  If the problem is not the pam_ldap.conf file, you can try to debug it
>  in the following way:
>  tcpdump
>  or
>  (backup first!!) cp /etc/pam.d/ssh /etc/pam.d/su
>  strace su someuser (do this as root but remove, rootok pam module from
>  the list, so it will ask for password)
> 
>   
> 
>  Asif Iqbal wrote:
> 
>       
> 
>  Hi All
> 
>  I am trying to ssh auth against the ldap server using pam_ldap and getting the
>  following error
> 
>  Dec  1 13:03:44 scrub sshd[11979]: [ID 280705 auth.error] pam_ldap:
>  ldap_simple_bind Can't contact LDAP server
>  Dec  1 13:03:44 scrub sshd[11977]: [ID 800047 auth.error] error: PAM: Can not
>  retrieve authentication info
> 
>  sshd auth --> pam_ldap.so (in pam.conf)
> 
>  Thanks
> 
> 
> 
>         
> 
>

References:
- Re: pam_ldap error
  - From: Jeff Gamsby <JFGamsby@lbl.gov>
- Re: pam_ldap error
  - From: Asif Iqbal <iqbala@qwestip.net>
- Re: pam_ldap error
  - From: Csillag Tamás <cstamas@digitus.itk.ppke.hu>
- Re: pam_ldap error
  - From: Jeff Gamsby <JFGamsby@lbl.gov>

Prev by Date: Internal (implementation specific) error (80)
Next by Date: Re: cannot add entries with Umlaut characters
Index(es):
- Chronological
- Thread