Have you changed anything in the following: /etc/nsswitch.conf and your /etc/slapd/ldap.conf or /etc/ldap.conf
What do they look like? You might not have the right uri and or basedn specified in your ldap.conf. If you're nsswitch is untouched the system isn't even asking for ldap lookups via pam, it's just going to files. What is the result of running : getent username Use a username that is both in ldap and in files(/etc/passwd) and one that isn't. You should get s double response on the user in both files and ldap and a single on the one that's just in ldap. If you get nothing from the later then you're issue is with nss. On Wed, Jul 6, 2011 at 8:51 AM, Santhosh <[email protected]> wrote: > Hi all, > I have been trying to integrate pam_ldap in my CentOS machine. I > installed the pam_ldap package through yum. > /lib64/security/pam_ldap.so is present. > I did necessary changes in the /etc/pam.d/login, sshd, passwd files > to first look into the shadow file then fallback to ldap. but Im able > to authenticate the users whose password in the shadow file. But when > I try to authenticate the user whose information stored in the ldap, > it is failing complaining that "pam_ldap: error trying to bind > (Invalid credentials)". > I have also tried the ldapsearch command line utility of the ldap > there the same Dn, user, password are working and successfully able to > connect the ldap server. > I have done necessary changes in the /etc/ldap.conf. > # this file must be world readable (0644) > BASE DC=my,DC=example,DC=com > > # FQDN of the LDAP server > #HOST XXX.XXX.XXX.XXX > > # encryption used for storing passwords > #pam_crypt > > #ldap_version 3 > > # bindpw is only needed if you want to allow root to change entries on > # this host. > # it's also better to keep the password in /etc/ldap.secret (0600) > instead > #bindpw {crypt}4rKJLSLewr > #base DC=my,DC=example,DC=com > uri ldap://newldap.my.example.com > binddn CN=santhosh,OU=Service Accounts,OU=Enterprise > Services,DC=my,DC=example,DC=com > bindpw santhosh123 > #{md5}ea7bb3f922e875d6efc3a3fbbbada590 > port 389 > timelimit 120 > bind_timelimit 30 > bind_policy soft > idle_timelimit 3600 > pam_password crypt > ssl no > scope LDAP_SCOPE_BASE > # this one is to allow root to change entries > # it will require bindpw or password in /etc/ldap.secret > #rootbinddn cn=root,dc=example,dc=com > #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise > Services,DC=my,DC=example,DC=com > > # this for group access > nss_base_passwd DC=my,DC=example,DC=com > nss_base_shadow DC=my,DC=example,DC=com > nss_base_group OU=Service Accounts,OU=Enterprise > Services,DC=my,DC=example,dc=com > nss_reconnect_tries 60 > pam_filter objectclass=posixAccount > pam_login_attribute uid > > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > # TBD: where to put this certificate anyway? > > > Any one has expertise on it ?. Appreciate if anyone can help. > > Thanks, > Santhosh > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > http://cdn.fsdev.net/List-Rules.pdf) > -- A healthy diet includes Linux, Linux, and more Linux. -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
