Re: Weird NSS/PAM Problem

[Adam Williams <awilliam@whitemice.org>]

>I have some trouble here to get OpenLDAP running correctly together with
>NSS/PAM Authentification. I tried everything I could imagine, looked
>through many mailinglist archives and read all docu I was able to find, but
>the problem still remains. ARGH ;)

Really is more of a PAM/NSS question than an OpenLDAP one,  you might
get more/better help on one of PADL's lists.

>I migrated the Login Authentification on my system to OpenLDAP
>(2.0.23), /etc/shadow,passwd,groups were removed, all data ist now stored
>in LDAP.
>The login is done with NSS_LDAP and PAM_LDAP and it works, the system
>reads the data correctly out of the LDAP database and every user is able
>to login on his account.
>But still, the openldap server writes some strange error messages to

No, PAM is writing this message to syslogd, not slapd.

>SYSLOG. For example, when user root logs in, the following message appears
>in the log:
>----------------------------------------------------------------------
>Mar 30 16:28:58 [login] pam_ldap: error trying to bind as user "cn=root,
>ou=sysusers, ou=sysaccounts, dc=hailstorm, dc=linuxgamer, c=de" (Invalid
>credentials)
>Mar 30 16:28:58 [login] ROOT LOGIN  on `tty2'
>----------------------------------------------------------------------
>As you can see, the login was succesful, although pam_ldap reports an
>error...
>What could be the error ? 
>Are my ACLŽs wrong ?
>############ /etc/ldap.conf ################
>host localhost>
>base dc=hailstorm,dc=linuxgamer,c=de
>ldap_version 3
>binddn cn=root,dc=hailstorm,dc=linuxgamer,c=de
>bindpw wonttellya ;) 	# it is the correct root password

You need to bind as cn=root to authenticate a user? It may work,  but it
seem rather extreme and not particularly secure.  Your ACLs says that
you can authenticate anonymously (which is OK),  so try removing the
binddn directive from /etc/ldap.conf