On Jun 7, 2010, at 3:50 AM, Buchan Milne wrote:
Sure, but are you sure ldapsearch and pam_ldap are using the same password? If you *think* so, maybe you should check with a packet capture ...
I did, and found that pam_ldap had altered the password prior to submittal. It turns out that for what it perceives as invalid user ids, it changes the password hash to 'INCORECT', mis-spelling and all. There was a problem with nsswitch/nscd which when resolved, the userid was valid and ldap worked fine.
This is hardly useful behavior. I fail to understand why this particular approach is taken.
Also on the other hand, comparing the logs I showed indicates that more logging would really help identify the problem. The failed BIND attempt is not logged, even at debug level 9, which is part of what confuses a person trying to understand the problem.