Hi,
I'm currently working on an authentication system for my company and facing a problem using pam_ldap, and libnss_ldap.
I want to configure pam to authenticate againt a field (let's call it
AField) (e.g. a ssh session's authentication) and libnss to provide the
content of another field (BField) if I run e.g. ls -l.
I mean :
# ssh AField-value@192.168.1.1
[...]
# ls -l /tmp/test
-rwx------ 1 BField-value root 1305 2009-03-18 14:11 test
#whoami
BField-value
The goal is to permit login via AField, which will be a quite long name, and BField will ease the reading in my linux-box.
Everything is working perfectly fine if I use the same field. (i.e.
pam_login_attribute BField and nss_map_attribute uid BField) but if I
try to set pam_login_attribute to AField and nss_map_attribute to "uid
BField" the authentication process failed in an "Invalid credentials"
error.
Libnss works correctly since when I list (ls) a file created by an ldap
user after logging in via a local user, the resolution works fine. Ls
answers me the file is owned by {BField-value} user.
Pam_ldap seems to understand it needs to look up to the AField since it
bind anonymously, request the rdn of the user having AField equal to
the login submitted, but when the binding is done with the rdn of the
user, I've got the error.
I tcpdump-ed the ldap trafic and discovered pam_ldap is requesting the
binding without providing the password. In the packets, where the
password (in clear for tests) should be, I can read "INCORRECT". Which
is not my password at all =) Then, it's perfectly logical that openldap
returns me "Invalid credentials".
My question is : what can this INCORRECT mean ? A configuration error ? Is it just possible to do what I want to do ?
When my authentication fails, I can rean in openldap log files :
slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
When I'm using only the AField (or the BField) for the two options, I don't get this error :o/
I'm using Openldap 2.3.30-5+etch2, libpam-ldap 180-1.7 and libnss-ldap 251-7.5etch1 on Debian.
Thank you in advance for your support.
Regards,
--
Florian MAURY