[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to authenticate via pam_ldap



On 03/01/13 15:07 +0530, Meghanand Acharekar wrote:
I've LDAP production server running over last 1 years without any issues,
I'm suddently getting password fail error while authenticating via
pam_ldap.so its show following error message, I'm able to authenticate
using ldap client utilities like ldapsearch, also via some java application,

On client side I got following error message in /var/log/secure

Failed password for [username] from xx.xx.xx.xx port 38473 ssh2
fatal: Access denied for user [username] by PAM account configuration

That error could indicate some other problem. From wikipedia (for
Linux_PAM):

"Account modules check that the specified account is a valid authentication
target under current conditions. This may include conditions like account
expiration, time of day, and that the user has access to the requested
service."

Check that your libnss_ldap configuration is good, by running:

getent passwd <user>

and

getent shadow <user>

Verify that you don't have an expired account (see man shadow). Check that
your name caching daemon (e.g. nscd) is running, if you're using it.

On LDAP server logs.

=> access_allowed: read access denied by auth(=xd)
send_search_entry: conn 1711 access to attribute userPassword, value
#0 not allowed

ACL configuration on LDAP server

access to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=example,dc=com" write
       by * none
access to attrs=shadowLastChange
       by self write
       by * read
access to *
       by self write
       by dn.base="cn=Manager,dc=example,dc=com" write
       by * read

pam_ldap (/etc/pam.d/system-auth) configuration - client side

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_ldap.so try_first_pass
auth        sufficient    pam_unix.so nullok use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 debug
minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

The strange thing is I haven't made any changes on server or client side
since a long time.

--
Dan White