[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pam_ldap doesn't bind SIMPLE for anonymous auth?

On Jun 7, 2010, at 3:50 AM, Buchan Milne wrote:
> Sure, but are you sure ldapsearch and pam_ldap are using the same password? If 
> you *think* so, maybe you should check with a packet capture ...

I did, and found that pam_ldap had altered the password prior to submittal.   It turns out that for what it perceives as invalid user ids, it changes the password hash to 'INCORECT', mis-spelling and all.  There was a problem with nsswitch/nscd which when resolved, the userid was valid and ldap worked fine.

This is hardly useful behavior.  I fail to understand why this particular approach is taken.

Also on the other hand, comparing the logs I showed indicates that more logging would really help identify the problem.  The failed BIND attempt is not logged, even at debug level 9, which is part of what confuses a person trying to understand the problem.

Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness