My configuration is such that I'm able to execute command "id" and get uid and gid information of the user in the ldap. But when I try to do an authentication its failing saying that, "python: pam_ldap: error trying to bind (Invalid credentials). " I'm basically using python client to authenticate against the pam. I have set the , ssl no in the /etc/ldap.conf. and bindpw <unencrypted password>
And also I'm able do ldapsearch from the same machine. Thanks, Santhosh On Wed, Jul 6, 2011 at 10:25 PM, Bryan Smith <[email protected]> wrote: > Have you changed anything in the following: /etc/nsswitch.conf and your > /etc/slapd/ldap.conf or /etc/ldap.conf > > What do they look like? > > You might not have the right uri and or basedn specified in your ldap.conf. > If you're nsswitch is untouched the system isn't even asking for ldap > lookups via pam, it's just going to files. > > What is the result of running : > > getent username > > Use a username that is both in ldap and in files(/etc/passwd) and one that > isn't. You should get s double response on the user in both files and ldap > and a single on the one that's just in ldap. If you get nothing from the > later then you're issue is with nss. > > On Wed, Jul 6, 2011 at 8:51 AM, Santhosh <[email protected]> wrote: > >> Hi all, >> I have been trying to integrate pam_ldap in my CentOS machine. I >> installed the pam_ldap package through yum. >> /lib64/security/pam_ldap.so is present. >> I did necessary changes in the /etc/pam.d/login, sshd, passwd files >> to first look into the shadow file then fallback to ldap. but Im able >> to authenticate the users whose password in the shadow file. But when >> I try to authenticate the user whose information stored in the ldap, >> it is failing complaining that "pam_ldap: error trying to bind >> (Invalid credentials)". >> I have also tried the ldapsearch command line utility of the ldap >> there the same Dn, user, password are working and successfully able to >> connect the ldap server. >> I have done necessary changes in the /etc/ldap.conf. >> # this file must be world readable (0644) >> BASE DC=my,DC=example,DC=com >> >> # FQDN of the LDAP server >> #HOST XXX.XXX.XXX.XXX >> >> # encryption used for storing passwords >> #pam_crypt >> >> #ldap_version 3 >> >> # bindpw is only needed if you want to allow root to change entries on >> # this host. >> # it's also better to keep the password in /etc/ldap.secret (0600) >> instead >> #bindpw {crypt}4rKJLSLewr >> #base DC=my,DC=example,DC=com >> uri ldap://newldap.my.example.com >> binddn CN=santhosh,OU=Service Accounts,OU=Enterprise >> Services,DC=my,DC=example,DC=com >> bindpw santhosh123 >> #{md5}ea7bb3f922e875d6efc3a3fbbbada590 >> port 389 >> timelimit 120 >> bind_timelimit 30 >> bind_policy soft >> idle_timelimit 3600 >> pam_password crypt >> ssl no >> scope LDAP_SCOPE_BASE >> # this one is to allow root to change entries >> # it will require bindpw or password in /etc/ldap.secret >> #rootbinddn cn=root,dc=example,dc=com >> #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise >> Services,DC=my,DC=example,DC=com >> >> # this for group access >> nss_base_passwd DC=my,DC=example,DC=com >> nss_base_shadow DC=my,DC=example,DC=com >> nss_base_group OU=Service Accounts,OU=Enterprise >> Services,DC=my,DC=example,dc=com >> nss_reconnect_tries 60 >> pam_filter objectclass=posixAccount >> pam_login_attribute uid >> >> # OpenLDAP SSL options >> # Require and verify server certificate (yes/no) >> # TBD: where to put this certificate anyway? >> >> >> Any one has expertise on it ?. Appreciate if anyone can help. >> >> Thanks, >> Santhosh >> >> -- >> You received this message because you are subscribed to the Linux Users >> Group. >> To post a message, send email to [email protected] >> To unsubscribe, send email to >> [email protected] >> For more options, visit our group at >> http://groups.google.com/group/linuxusersgroup >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >> http://cdn.fsdev.net/List-Rules.pdf) >> > > > > -- > A healthy diet includes Linux, Linux, and more Linux. > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > References can be found at: http://goo.gl/anqri > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > http://cdn.fsdev.net/List-Rules.pdf) > -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
