[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP authentication of unregistered user at client side.

On Friday, 2 September 2011 03:35:24 vijay s sheelavantar wrote:
> Hi Friends,
> I have a openldap server running on one machine (fedora10) and pam_ldap.so
> and nss_ldap.so running on the other machine. I have added a new user to
> the LDAP server database, this user is not created on client machine. 1.
> Can i login to the client machine using this new user?

Yes, if your client configuration is correct.

> 2. Now if i try
> logging with this new user I am getting error messages, the error messages
> are as follows at client side Sep  2 10:34:36 localhost sshd[8484]:
> Invalid user kim from  2 10:34:36 localhost
> sshd[8485]: input_userauth_request: invalid user kim

This looks like you haven't configured nsswitch.conf correctly.

> Sep  2 10:35:16
> localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min
> soo,ou=people,dc=samsung,dc=com" (Invalid credentials)

You entered the wrong password, or possibly your ACLs on the server don't 
allow anonymous auth access to the userPassword attribute. You may first want 
to test directly, e.g. with ldapwhoami, such as:

ldapwhoami -x -D cn=minsoo,ou=people,dc=samsung,dc=com -W

(if your /etc/openldap/ldap.conf is not appropriately configured, you may need 
to specify -h or -H options, see the ldapwhoami(1) and ldap.conf(5) man 

> Sep  2 10:35:16
> localhost sshd[8484]: pam_succeed_if(sshd:auth): error retrieving
> information about user kimSep  2 10:35:16 localhost sshd[8484]:
> Failed password for invalid user kim from port 52652 ssh2
> Kindly let me know is it a limitation with LDAP ???

No, all our production servers run without any local accounts for real users, 
without problems for the last 6+ years.