[Date Prev][Date Next] [Chronological] [Thread] [Top]

Identical client/server configs, different server OS = different results (success/failure)

To: "pamldap@padl.com" <pamldap@padl.com>
Subject: Identical client/server configs, different server OS = different results (success/failure)
From: Dax Kelson <dax@gurulabs.com>
Date: Tue, 5 Feb 2002 01:13:58 -0700 (MST)
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <BGECIHOAPJJCCGIJFBDIMEFDCIAA.David.Vu@aarnet.edu.au>

This has got me very perplexed, I would think identically configured 
OpenLDAP servers would behave the same way irregardless of the underlying 
operating system.  I can reproduce the problem below 100% every time.


Servers:

I have two servers, one NetBSD 1.5.2 on MIPS, and one Red Hat Linux 7.2 on
i386. Both have freshly compiled OpenLDAP 2.0.22.  Both have an identical 
slapd.conf config.  Both used the PADL migration scripts to do an online 
import of the exact same passwd/group/shadow/... (scripts modified 
to look in specified directory instead of /etc).  The only thing different 
is the SSL/TSL cert has a different common name corresponding to the 
different FQDN for each server.

Here are the ACLs used on both servers:

access to attr=userPassword
        by self write
        by anonymous auth

access to dn=() by * read

access to *
        by users read
        by anonymous none

Client setup:

I have two clients, one for each server.  They are exactly identical
(software/hardware) except for hostname and what server they are pointed 
at. They are both running Red Hat Linux 7.2 with all errata installed.

The /etc/ldap.conf on each, modulo the the "host" looks like:

host station1.example.com
base dc=example,dc=com
ssl start_tls
pam_password md5

Problem:

Authentication failure using NetBSD hosted OpenLDAP server.

I can ssh into the client box pointed at the RHL 7.2 OpenLDAP 2.0.22 
server.  I can not ssh into the client pointed at the NetBSD 1.5.2 
OpenLDAP 2.0.22 server.  I need to use the NetBSD box as my production 
box.

On the client using the NetBSD OpenLDAP server, I see this in syslog:

Feb  5 00:49:13 station3 sshd[27897]: pam_ldap: error trying to bind as 
user "uid=dkelson,ou=People,dc=example,dc=com" (Invalid credentials)

On the machine doing the ssh I see:

$ ssh dkelson@10.100.0.3
dkelson@10.100.0.3's password:
Permission denied, please try again.

Debug output:

I launched both OpenLDAP servers with -d 128 and recorded the debug as I 
tried to ssh into each client.

Debug for sucessfull ssh into client pointed at RHL7.2 hosted OpenLDAP:

http://www.gurulabs.com/files/rhl-ldap-debug.txt

Debug for failed ssh into client pointed at NetBSD hosted OpenLDAP:

http://www.gurulabs.com/files/netbsd-ldap-debug.txt

A "diff -u" between the two:

http://www.gurulabs.com/files/netbsd-rhl-ldap-debug.diff

I'll be extremely grateful for any and all assistance.

Dax Kelson

Prev by Date: Re:
Next by Date: Re: Large Open LDAP Installations?
Index(es):
- Chronological
- Thread