Hello,
I am installing openldap in my cathedra and am running into a strange problem.
Currently I configured the server and imported some entries (from the existing nis base).
Then I set-up a client station. Unfortunately I am currently unable to log-in with a user account on the client station.
The strange problem consists in the following :
- When I use libnss_ldap and libpam_ldap the client sends multiple requests, receives multiple answers (with correct values for the given user), but then at one moment the server sends a FIN,ACK packet and in the auth.log of the client machine I see a message saying "failed to bind to ldap server" or something like this. I get this information from a network analyzer. From the server side everything seems OK.
- When I use libnss_ldapd and libpam_ldapd, the communication is OK, but it seems that the client is not asking for the userPassword agrument and so, there is no way to login (it only asks for "loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid" and then in another request "shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax"
I am able to make a ldapsearch from the client side with the binddn specified in the pam_ldap.conf and libnss_ldap.conf and all the information is successfully retrieved.
Any advices are welcomed.
Thanks,
-- Ivaylo
On 09/24/14 14:30 +0200, Ivaylo Ganchev wrote:
Hello,
I am installing openldap in my cathedra and am running into a strange problem.
- When I use libnss_ldapd and libpam_ldapd, the communication is OK, but
it seems that the client is not asking for the userPassword agrument and so, there is no way to login (it only asks for "loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid" and then in another request "shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax"
See:
http://arthurdejong.org/nss-pam-ldapd/setup
and its troubleshooting steps, namely, getent passwd, getent shadow, and debug mode.
In default configuration, you will not directly expose the userPassword attribute to the client - a successful bind will authenticate the client's credentials.
Hello,
On 2014-09-24.Wed, Dan White wrote:
On 09/24/14 14:30 +0200, Ivaylo Ganchev wrote:
Hello,
I am installing openldap in my cathedra and am running into a strange problem.
- When I use libnss_ldapd and libpam_ldapd, the communication is OK, but
it seems that the client is not asking for the userPassword agrument and so, there is no way to login (it only asks for "loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid" and then in another request "shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax"
See:
I followed this setup when configuring. Will re-read it. I think I miss some further comprehension.
and its troubleshooting steps, namely, getent passwd, getent shadow, and debug mode.
In default configuration, you will not directly expose the userPassword attribute to the client - a successful bind will authenticate the client's credentials.
thanks for pointing me these hints.
-- Ivaylo
"Ivaylo Ganchev" ivaylo.ganchev@univ-paris8.fr writes:
- When I use libnss_ldapd and libpam_ldapd, the communication is OK, but it seems that the client is not asking for the userPassword agrument and so, there is no way to login
That does not follow: libpam_ldapd can verify the password by binding to the directory, thus it does not need to read the userPassword attribute.
openldap-technical@openldap.org
-
Dan White -
Ferenc Wagner -
Ivaylo Ganchev