[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: odd pam_ldap configuration issues

To: Stefan Froehlich <ldap@Froehlich.Priv.at>
Subject: Re: odd pam_ldap configuration issues
From: Geoff Silver <geoff@uslinux.net>
Date: Thu, 18 Jul 2002 15:12:36 -0400 (EDT)
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <20020717084123.GA26152@euklid.nt.tuwien.ac.at>

Make sure your 'auth' lines read:

auth       sufficient   pam_ldap.so
auth       required     pam_unix.so use_first_pass

Very important.  You're probably missing the use_first_pass.

> Next step was pam_ldap - again, after some reading it worked, but
> only almost. Whenever I login, I have to enter the password _twice_
> until it is accepted. I only realized that this is a problem, when I
> wanted to deploy nss_ldap. This simply did not work for me. For a
> login, the logfiles tell me the following:
>
> | Jul 17 10:28:49 slapd[18148]: daemon: conn=20 fd=15 connection from IP=10.10.0.6:33807 (IP=0.0.0.0:389) accepted.
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=1 BIND dn="OU=SAMBA,DC=DOMAIN,DC=AT" method=128
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=1 RESULT tag=97 err=0 text=
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=2 SRCH base="ou=People,dc=domain,dc=at" scope=1 filter="(uid=sfroehli)"
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=2 SEARCH RESULT tag=101 err=0 text=
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=3 BIND dn="UID=SFROEHLI,OU=PEOPLE,DC=DOMAIN,DC=AT" method=128
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=3 RESULT tag=97 err=0 text=
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=4 BIND dn="OU=SAMBA,DC=DOMAIN,DC=AT" method=128
> | Jul 17 10:28:58 slapd[18150]: conn=20 op=4 RESULT tag=97 err=0 text=
> | Jul 17 10:28:58 slapd[18148]: daemon: conn=21 fd=16 connection from IP=10.10.0.6:33808 (IP=0.0.0.0:389) accepted.
> | Jul 17 10:28:58 slapd[18150]: conn=21 op=1 UNBIND
> | Jul 17 10:28:58 slapd[18150]: conn=-1 fd=16 closed
> | Jul 17 10:30:24 slapd[18150]: conn=20 op=5 UNBIND
> | Jul 17 10:30:24 slapd[18150]: conn=-1 fd=15 closed
>
> I waited for 10 seconds after the first password failure to
> illustrate what happens until then (i.e. next to nothing, for my
> knowledge). The procedure after the second login try looks perfectly
> fine to me (so the ldap configuration should be correct?) - but why
> not as well at the first try?
>
> Now, if I enable nss_ldap and try to execute a "getent group", I can
> see the following:
>
> | Jul 17 10:35:03 slapd[18148]: daemon: conn=27 fd=15 connection from IP=10.10.0.6:33815 (IP=0.0.0.0:389) accepted.
> | Jul 17 10:35:03 slapd[18150]: conn=27 op=1 UNBIND
> | Jul 17 10:35:03 slapd[18150]: conn=-1 fd=15 closed
>
> Which seems for me to be quite similar to the problem above: one
> try, but no success. Unlike during login, no retries are made
> here, so there is no result. Exactly the same thing happens (of
> course), if I write "group: ldap" in my nsswitch.conf and do an
> "ls -l" afterwards.
>
> I tried to increase the log level of slapd, but this gives me
> _exhaustive_ results which I am not able to interpret. If you need a
> special log level, please tell me. Also, if some of the
> configuration files are of special interest for this kind of
> problem, please tell.
>
> Ciao,
>   Stefan
>
>

-- 
Geoff Silver					<geoff at uslinux dot net>
"If Bill Gates had a nickel for every time Windows crashed...
	Oh wait, he does"

References:
- odd pam_ldap configuration issues
  - From: Stefan Froehlich <ldap@Froehlich.Priv.at>

Prev by Date: Re: libpam libnss + ldap Authentication problem !
Next by Date: RE: LDAP Replication:
Index(es):
- Chronological
- Thread