Re: libpam libnss + ldap Authentication problem !

[Geoff Silver <geoff@uslinux.net>]

> I have setting up proxyuser(can read userPassword). All user account
> has been loaded into the ldap directory but I cannot authenticate with
> it......It's looking like the sshd didn't search from the ldap and
> just returning a Permission Denied.

FYI: OpenSSH 3.3.1/3.4 with UsePrivilegeSeperation doesn't work.  Disable
it, if you're using it.  I'm wagering that's the answer, but just in case,
here's some other info.

Run slapd in debug mode, and be sure the LDAP server *is* being
contacted when you try to log in.  If so, the logs (auth.log?) may be
useful.  If you have the patience to read the *full* logs (-d255), it is
possible to tell if the proxyuser actually has read access, though they're
quite long.

Also, try the same thing /etc/pam.d/login.  If you can run 'login' and
have access, but ssh fails, that's a good indication it's a PAM issue, and
not an LDAP issue.

Finally, try 'getent passwd' and make sure libnss at least is properly
querying the LDAP server.

> /etc/pam_ldap.conf

Looks fine.

> /etc/libnss-ldap.conf

Looks good.

> /etc/pam.d/ssh

Looks good, though make sure you don't have an /etc/nologin file, or
pam_nologin will override your login ability.

> /etc/ldap/ldap.conf
> ----------------------------
> host 127.0.0.1
> base dc=dinovision,dc=net
> rootbinddn cn=proxyuser,dc=dinovision,dc=net
> scope one
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_template_login_attribute uid
> pam_password md5
> nss_base_passwd         ou=People,dc=dinovision,dc=net?one
> nss_base_shadow         ou=People,dc=dinovision,dc=net?one
> nss_base_group          ou=Group,dc=dinovision,dc=net?one

I don't have the pam or nss stuff in my ldap.conf - I'm not sure it's
necessary.  Also, the 'pam_password md5' line may conflict with the
'pam_password crypt' line in pam_ldap.conf