Re: Problem with ldap auth

[Sjoerd Hardeman]

Guillaume CHARDIN schreef:

Thank for your reply
Here are some details about what you ask

2009/9/11 Sjoerd Hardeman <sjo...@lorentz.leidenuniv.nl>:

Can you add the option 'debug' in /etc/pam.d/common-auth to the line of
pam_ldap? What do you see when you try to log in in /var/log/auth.log? And
when you log in as root, does changing passwords work?

Sjoerd

I activate the pam_ldap debug : the only line displayed in
/var/log/auth.log when i connect with passord is :
     *    Sep 11 15:29:30 debiandev sshd[9231]: Failed password for
gfustier from 192.168.22.6 port 10243 ssh2
So ok now I'm sure it failed :D
But why....

Yes, that's indeed what we need to find out. Looking at the /etc/pam.d/common-auth you provided, I might see a problem (see below). If that doesn't work, can you check that if you use the settings from /etc/pam_ldap.conf, ldapsearch -x -h your-ldap-server -b dc=searchbase,dc=org -D uid=yourname,ou=users,... works? It might be that somehow encryption or sasl has been enabled on the ldap-server, and that your debian-box is not aware.

Next when i tried to change my passord once authenticated with ssh
private key, the error displayed is:
     *    Sep 11 15:30:25 debiandev passwd[9243]:
pam_unix(passwd:chauthtok): user "gfustier " does not exist in
/etc/passwd

That's expected for a login with a key. /etc/passwd is used to look up group info, but not found and then retrieved from the ldap server. As you provide a secret key, no password is used as the key is used for authorization

But my user is stored on the ldap server so i think it's ok maybe i have to use

And if i try to change root password it works  :
    *    Sep 11 15:48:47 debiandev passwd[9265]:
pam_unix(passwd:chauthtok): password changed for root

Yes, that's fine, but what happens if you change a user password from the root account?

If it can help here is the content of /etc/pam.d/common-auth & common-passwd

#common-passwd#
password   required   pam_unix.so nullok obscure md5
password    sufficient    pam_ldap.so
##

This is not used for authentication, only for changing passwords. Yet, to make that work, you should change this to

 password sufficient pam_unix.so nullok obscure md5
 password sufficient pam_ldap.so use_first_pass use_authok
 password required pam.deny.so

In your might require presence of the user in /etc/passwd and /etc/shadow. you don't want that. Also, use_first_pass uses the password provided to pam_unix, which might return null instead of the provided pass (I think that's what is happening)

#common-auth#
auth    required        pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass debug
##

Again, you don't want to require users to pass pam_unix.so, so change this to

auth    sufficient      pam_unix.so nullok_secure
auth    required        pam_ldap.so use_first_pass

good luck!
Sjoerd

signature.asc
Description: OpenPGP digital signature