[Date Prev][Date Next]
Identical client/server configs, different server OS = different results (success/failure)
This has got me very perplexed, I would think identically configured
OpenLDAP servers would behave the same way irregardless of the underlying
operating system. I can reproduce the problem below 100% every time.
I have two servers, one NetBSD 1.5.2 on MIPS, and one Red Hat Linux 7.2 on
i386. Both have freshly compiled OpenLDAP 2.0.22. Both have an identical
slapd.conf config. Both used the PADL migration scripts to do an online
import of the exact same passwd/group/shadow/... (scripts modified
to look in specified directory instead of /etc). The only thing different
is the SSL/TSL cert has a different common name corresponding to the
different FQDN for each server.
Here are the ACLs used on both servers:
access to attr=userPassword
by self write
by anonymous auth
access to dn=() by * read
access to *
by users read
by anonymous none
I have two clients, one for each server. They are exactly identical
(software/hardware) except for hostname and what server they are pointed
at. They are both running Red Hat Linux 7.2 with all errata installed.
The /etc/ldap.conf on each, modulo the the "host" looks like:
Authentication failure using NetBSD hosted OpenLDAP server.
I can ssh into the client box pointed at the RHL 7.2 OpenLDAP 2.0.22
server. I can not ssh into the client pointed at the NetBSD 1.5.2
OpenLDAP 2.0.22 server. I need to use the NetBSD box as my production
On the client using the NetBSD OpenLDAP server, I see this in syslog:
Feb 5 00:49:13 station3 sshd: pam_ldap: error trying to bind as
user "uid=dkelson,ou=People,dc=example,dc=com" (Invalid credentials)
On the machine doing the ssh I see:
$ ssh firstname.lastname@example.org
Permission denied, please try again.
I launched both OpenLDAP servers with -d 128 and recorded the debug as I
tried to ssh into each client.
Debug for sucessfull ssh into client pointed at RHL7.2 hosted OpenLDAP:
Debug for failed ssh into client pointed at NetBSD hosted OpenLDAP:
A "diff -u" between the two:
I'll be extremely grateful for any and all assistance.