Santhosh, What python client are you trying to use? Are you sure the users aren't in files too? You didn't post your /etc/ldap.conf and that is THE pam_ldap config, so if your credentials are correct then either the client is using a bad uri or the ldap.conf improperly configured. You should enable debug in the ldap.conf and see what pam is having issues with. The next hing for you to do is start slapd in debug mode from the command line and see exactly what information is being queried by the python client. How do you even know it's reaching the server in the first place?
Just because you can run ldapsearch and get gecos information doesn't mean that you can bind with credentials successfully. Do you allow anonymous binds? You can get this information anonymously depending on how your configuration is setup. Most issues are from using the wrong base dn. On Mon, Jul 11, 2011 at 4:45 AM, Santhosh G Nayak <[email protected]>wrote: > My configuration is such that I'm able to execute command "id" and get uid > and gid information of the user in the ldap. But when I try to do an > authentication its failing saying that, > "python: pam_ldap: error trying to bind (Invalid credentials). " > I'm basically using python client to authenticate against the pam. > I have set the , > ssl no > in the /etc/ldap.conf. > and > bindpw <unencrypted password> > > And also I'm able do ldapsearch from the same machine. > > Thanks, > Santhosh > > > > On Wed, Jul 6, 2011 at 10:25 PM, Bryan Smith <[email protected]>wrote: > >> Have you changed anything in the following: /etc/nsswitch.conf and your >> /etc/slapd/ldap.conf or /etc/ldap.conf >> >> What do they look like? >> >> You might not have the right uri and or basedn specified in your >> ldap.conf. If you're nsswitch is untouched the system isn't even asking for >> ldap lookups via pam, it's just going to files. >> >> What is the result of running : >> >> getent username >> >> Use a username that is both in ldap and in files(/etc/passwd) and one that >> isn't. You should get s double response on the user in both files and ldap >> and a single on the one that's just in ldap. If you get nothing from the >> later then you're issue is with nss. >> >> On Wed, Jul 6, 2011 at 8:51 AM, Santhosh <[email protected]> wrote: >> >>> Hi all, >>> I have been trying to integrate pam_ldap in my CentOS machine. I >>> installed the pam_ldap package through yum. >>> /lib64/security/pam_ldap.so is present. >>> I did necessary changes in the /etc/pam.d/login, sshd, passwd files >>> to first look into the shadow file then fallback to ldap. but Im able >>> to authenticate the users whose password in the shadow file. But when >>> I try to authenticate the user whose information stored in the ldap, >>> it is failing complaining that "pam_ldap: error trying to bind >>> (Invalid credentials)". >>> I have also tried the ldapsearch command line utility of the ldap >>> there the same Dn, user, password are working and successfully able to >>> connect the ldap server. >>> I have done necessary changes in the /etc/ldap.conf. >>> # this file must be world readable (0644) >>> BASE DC=my,DC=example,DC=com >>> >>> # FQDN of the LDAP server >>> #HOST XXX.XXX.XXX.XXX >>> >>> # encryption used for storing passwords >>> #pam_crypt >>> >>> #ldap_version 3 >>> >>> # bindpw is only needed if you want to allow root to change entries on >>> # this host. >>> # it's also better to keep the password in /etc/ldap.secret (0600) >>> instead >>> #bindpw {crypt}4rKJLSLewr >>> #base DC=my,DC=example,DC=com >>> uri ldap://newldap.my.example.com >>> binddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>> Services,DC=my,DC=example,DC=com >>> bindpw santhosh123 >>> #{md5}ea7bb3f922e875d6efc3a3fbbbada590 >>> port 389 >>> timelimit 120 >>> bind_timelimit 30 >>> bind_policy soft >>> idle_timelimit 3600 >>> pam_password crypt >>> ssl no >>> scope LDAP_SCOPE_BASE >>> # this one is to allow root to change entries >>> # it will require bindpw or password in /etc/ldap.secret >>> #rootbinddn cn=root,dc=example,dc=com >>> #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>> Services,DC=my,DC=example,DC=com >>> >>> # this for group access >>> nss_base_passwd DC=my,DC=example,DC=com >>> nss_base_shadow DC=my,DC=example,DC=com >>> nss_base_group OU=Service Accounts,OU=Enterprise >>> Services,DC=my,DC=example,dc=com >>> nss_reconnect_tries 60 >>> pam_filter objectclass=posixAccount >>> pam_login_attribute uid >>> >>> # OpenLDAP SSL options >>> # Require and verify server certificate (yes/no) >>> # TBD: where to put this certificate anyway? >>> >>> >>> Any one has expertise on it ?. Appreciate if anyone can help. >>> >>> Thanks, >>> Santhosh >>> >>> -- >>> You received this message because you are subscribed to the Linux Users >>> Group. >>> To post a message, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> For more options, visit our group at >>> http://groups.google.com/group/linuxusersgroup >>> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >>> http://cdn.fsdev.net/List-Rules.pdf) >>> >> >> >> >> -- >> A healthy diet includes Linux, Linux, and more Linux. >> >> -- >> You received this message because you are subscribed to the Linux Users >> Group. >> To post a message, send email to [email protected] >> To unsubscribe, send email to >> [email protected] >> For more options, visit our group at >> http://groups.google.com/group/linuxusersgroup >> References can be found at: http://goo.gl/anqri >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >> http://cdn.fsdev.net/List-Rules.pdf) >> > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > References can be found at: http://goo.gl/anqri > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > http://cdn.fsdev.net/List-Rules.pdf) > -- A healthy diet includes Linux, Linux, and more Linux. -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
