[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap doesn't bind SIMPLE for anonymous auth?

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
From: Jo Rhett <jrhett@netconsonance.com>
Date: Wed, 9 Jun 2010 09:30:57 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <201006071150.56950.bgmilne@staff.telkomsa.net>
References: <FD13C45B-653C-4E64-B363-3D8B983A258D@netconsonance.com> <201006071150.56950.bgmilne@staff.telkomsa.net>

On Jun 7, 2010, at 3:50 AM, Buchan Milne wrote:
> Sure, but are you sure ldapsearch and pam_ldap are using the same password? If 
> you *think* so, maybe you should check with a packet capture ...

I did, and found that pam_ldap had altered the password prior to submittal.   It turns out that for what it perceives as invalid user ids, it changes the password hash to 'INCORECT', mis-spelling and all.  There was a problem with nsswitch/nscd which when resolved, the userid was valid and ldap worked fine.

This is hardly useful behavior.  I fail to understand why this particular approach is taken.

Also on the other hand, comparing the logs I showed indicates that more logging would really help identify the problem.  The failed BIND attempt is not logged, even at debug level 9, which is part of what confuses a person trying to understand the problem.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

Follow-Ups:
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Russ Allbery <rra@stanford.edu>

References:
- pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Jo Rhett <jrhett@netconsonance.com>
- Re: pam_ldap doesn't bind SIMPLE for anonymous auth?
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Tool to covert from LDIF cn=config to slapd.conf?
Next by Date: Re: Tool to covert from LDIF cn=config to slapd.conf?
Index(es):
- Chronological
- Thread