Santhosh buddy, You need to start slapd in debug mode also and see what dn is being queried with the credentials...you'll see it all in plaintext. You should also try to import an ldif or do an ldapmodify from the command line using the same dn and credentials. If those fail it could be one of 4 things:
1. you're using the wrong cn=admin/manager 2. your credentials are incorrect 3. the acl does provide you with the correct rights. 4. you still have the wrong dn which is a part of issue 1. Beyond you sharing your configs I cant help you any more, I hope you get it figured out, Bryan On Tue, Jul 12, 2011 at 3:32 AM, Santhosh G Nayak <[email protected]>wrote: > Hi, > I'm using PyPAM python client to connect to pam. Yes the users are not > in unix shadow file. > And also when I execute the, > $getent passwd command > I could see the all users ( user from the /etc/passwd + users from the > ldap) > I tried with ldap.conf debug 31. > There could see the error code 49. when trying to authenticate. > Im not using ssl, "ssl" in ldap.conf is marked as "no". > > I'm still not able to understand why the client is not binding to the ldap > server for authentication.. > it still says, > "python: pam_ldap: error trying to bind (Invalid credentials)" in > /var/log/messages. > > Thank, > Santhosh > > > > On Tue, Jul 12, 2011 at 1:19 AM, Bryan Smith <[email protected]>wrote: > >> Santhosh, >> >> What python client are you trying to use? Are you sure the users aren't in >> files too? You didn't post your /etc/ldap.conf and that is THE pam_ldap >> config, so if your credentials are correct then either the client is using a >> bad uri or the ldap.conf improperly configured. You should enable debug in >> the ldap.conf and see what pam is having issues with. The next hing for you >> to do is start slapd in debug mode from the command line and see exactly >> what information is being queried by the python client. How do you even know >> it's reaching the server in the first place? >> >> Just because you can run ldapsearch and get gecos information doesn't mean >> that you can bind with credentials successfully. Do you allow anonymous >> binds? You can get this information anonymously depending on how your >> configuration is setup. >> >> Most issues are from using the wrong base dn. >> >> On Mon, Jul 11, 2011 at 4:45 AM, Santhosh G Nayak <[email protected] >> > wrote: >> >>> My configuration is such that I'm able to execute command "id" and get >>> uid and gid information of the user in the ldap. But when I try to do an >>> authentication its failing saying that, >>> "python: pam_ldap: error trying to bind (Invalid credentials). " >>> I'm basically using python client to authenticate against the pam. >>> I have set the , >>> ssl no >>> in the /etc/ldap.conf. >>> and >>> bindpw <unencrypted password> >>> >>> And also I'm able do ldapsearch from the same machine. >>> >>> Thanks, >>> Santhosh >>> >>> >>> >>> On Wed, Jul 6, 2011 at 10:25 PM, Bryan Smith <[email protected]>wrote: >>> >>>> Have you changed anything in the following: /etc/nsswitch.conf and your >>>> /etc/slapd/ldap.conf or /etc/ldap.conf >>>> >>>> What do they look like? >>>> >>>> You might not have the right uri and or basedn specified in your >>>> ldap.conf. If you're nsswitch is untouched the system isn't even asking for >>>> ldap lookups via pam, it's just going to files. >>>> >>>> What is the result of running : >>>> >>>> getent username >>>> >>>> Use a username that is both in ldap and in files(/etc/passwd) and one >>>> that isn't. You should get s double response on the user in both files and >>>> ldap and a single on the one that's just in ldap. If you get nothing from >>>> the later then you're issue is with nss. >>>> >>>> On Wed, Jul 6, 2011 at 8:51 AM, Santhosh <[email protected]>wrote: >>>> >>>>> Hi all, >>>>> I have been trying to integrate pam_ldap in my CentOS machine. I >>>>> installed the pam_ldap package through yum. >>>>> /lib64/security/pam_ldap.so is present. >>>>> I did necessary changes in the /etc/pam.d/login, sshd, passwd files >>>>> to first look into the shadow file then fallback to ldap. but Im able >>>>> to authenticate the users whose password in the shadow file. But when >>>>> I try to authenticate the user whose information stored in the ldap, >>>>> it is failing complaining that "pam_ldap: error trying to bind >>>>> (Invalid credentials)". >>>>> I have also tried the ldapsearch command line utility of the ldap >>>>> there the same Dn, user, password are working and successfully able to >>>>> connect the ldap server. >>>>> I have done necessary changes in the /etc/ldap.conf. >>>>> # this file must be world readable (0644) >>>>> BASE DC=my,DC=example,DC=com >>>>> >>>>> # FQDN of the LDAP server >>>>> #HOST XXX.XXX.XXX.XXX >>>>> >>>>> # encryption used for storing passwords >>>>> #pam_crypt >>>>> >>>>> #ldap_version 3 >>>>> >>>>> # bindpw is only needed if you want to allow root to change entries on >>>>> # this host. >>>>> # it's also better to keep the password in /etc/ldap.secret (0600) >>>>> instead >>>>> #bindpw {crypt}4rKJLSLewr >>>>> #base DC=my,DC=example,DC=com >>>>> uri ldap://newldap.my.example.com >>>>> binddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>>>> Services,DC=my,DC=example,DC=com >>>>> bindpw santhosh123 >>>>> #{md5}ea7bb3f922e875d6efc3a3fbbbada590 >>>>> port 389 >>>>> timelimit 120 >>>>> bind_timelimit 30 >>>>> bind_policy soft >>>>> idle_timelimit 3600 >>>>> pam_password crypt >>>>> ssl no >>>>> scope LDAP_SCOPE_BASE >>>>> # this one is to allow root to change entries >>>>> # it will require bindpw or password in /etc/ldap.secret >>>>> #rootbinddn cn=root,dc=example,dc=com >>>>> #rootbinddn CN=santhosh,OU=Service Accounts,OU=Enterprise >>>>> Services,DC=my,DC=example,DC=com >>>>> >>>>> # this for group access >>>>> nss_base_passwd DC=my,DC=example,DC=com >>>>> nss_base_shadow DC=my,DC=example,DC=com >>>>> nss_base_group OU=Service Accounts,OU=Enterprise >>>>> Services,DC=my,DC=example,dc=com >>>>> nss_reconnect_tries 60 >>>>> pam_filter objectclass=posixAccount >>>>> pam_login_attribute uid >>>>> >>>>> # OpenLDAP SSL options >>>>> # Require and verify server certificate (yes/no) >>>>> # TBD: where to put this certificate anyway? >>>>> >>>>> >>>>> Any one has expertise on it ?. Appreciate if anyone can help. >>>>> >>>>> Thanks, >>>>> Santhosh >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Linux Users >>>>> Group. >>>>> To post a message, send email to [email protected] >>>>> To unsubscribe, send email to >>>>> [email protected] >>>>> For more options, visit our group at >>>>> http://groups.google.com/group/linuxusersgroup >>>>> Please remember to abide by our list rules ( >>>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>>> >>>> >>>> >>>> >>>> -- >>>> A healthy diet includes Linux, Linux, and more Linux. >>>> >>>> -- >>>> You received this message because you are subscribed to the Linux Users >>>> Group. >>>> To post a message, send email to [email protected] >>>> To unsubscribe, send email to >>>> [email protected] >>>> For more options, visit our group at >>>> http://groups.google.com/group/linuxusersgroup >>>> References can be found at: http://goo.gl/anqri >>>> Please remember to abide by our list rules ( >>>> http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf) >>>> >>> >>> -- >>> You received this message because you are subscribed to the Linux Users >>> Group. >>> To post a message, send email to [email protected] >>> To unsubscribe, send email to >>> [email protected] >>> For more options, visit our group at >>> http://groups.google.com/group/linuxusersgroup >>> References can be found at: http://goo.gl/anqri >>> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >>> http://cdn.fsdev.net/List-Rules.pdf) >>> >> >> >> >> -- >> A healthy diet includes Linux, Linux, and more Linux. >> >> -- >> You received this message because you are subscribed to the Linux Users >> Group. >> To post a message, send email to [email protected] >> To unsubscribe, send email to >> [email protected] >> For more options, visit our group at >> http://groups.google.com/group/linuxusersgroup >> References can be found at: http://goo.gl/anqri >> Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor >> http://cdn.fsdev.net/List-Rules.pdf) >> > > -- > You received this message because you are subscribed to the Linux Users > Group. > To post a message, send email to [email protected] > To unsubscribe, send email to [email protected] > For more options, visit our group at > http://groups.google.com/group/linuxusersgroup > References can be found at: http://goo.gl/anqri > Please remember to abide by our list rules (http://tinyurl.com/LUG-Rulesor > http://cdn.fsdev.net/List-Rules.pdf) > -- A healthy diet includes Linux, Linux, and more Linux. -- You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup References can be found at: http://goo.gl/anqri Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules or http://cdn.fsdev.net/List-Rules.pdf)
