I've LDAP production server running over last 1 years without any issues, I'm suddently getting password fail error while authenticating via pam_ldap.so its show following error message, I'm able to authenticate using ldap client utilities like ldapsearch, also via some java application,

On client side I got following error message in /var/log/secure


Failed password for [username] from xx.xx.xx.xx port 38473 ssh2
fatal: Access denied for user [username] by PAM account configuration

On LDAP server logs.


=> access_allowed: read access denied by auth(=xd) 
send_search_entry: conn 1711 access to attribute userPassword, value #0 not allowed

ACL configuration on LDAP server


access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=example,dc=com" write
        by * none
access to attrs=shadowLastChange
        by self write
        by * read
access to *
        by self write
        by dn.base="cn=Manager,dc=example,dc=com" write
        by * read

pam_ldap (/etc/pam.d/system-auth) configuration - client side


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_ldap.so try_first_pass
auth        sufficient    pam_unix.so nullok use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 debug minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

The strange thing is I haven't made any changes on server or client side since a long time.

Regards,
Meghanand N. Acharekar
" A proud Linux User "
Reg Linux UserĀ  #397975
------------------------------------------
The gates in my computer are AND, OR and NOT; they are not Bill..