-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/19/2010 05:45 AM, Andy Kannberg wrote: > Stephen, > > OK, again, I'm completely lost. Since yesterday, the testaccount I use > is not able to login. let me clarify: > > I have two testaccounts, nxp21358 and nlv13078. > I have stopped sssd and commented out the sss lib in PAM. > nsswitch.conf tells the system to look at 'files ldap' for resolving > account info. > > The account nlv13078 works just fine logging in. > The account nxp21358 gets a ' permission denied' > > the /var/log/secure shows: > > Aug 19 11:29:13 hpdw0001 sshd[5492]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=acc3044.xxx.xxx.com > <http://acc3044.xxx.xxx.com> user=nxp21358 > Aug 19 11:29:16 hpdw0001 sshd[5492]: pam_ldap: error trying to bind as > user "cn=nxp21358,ou=Personal,ou=People,ou=NXDI,o=NXP" (Invalid credentials) > Aug 19 11:29:19 hpdw0001 sshd[5492]: pam_ldap: error trying to bind as > user "cn=nxp21358,ou=Personal,ou=People,ou=NXDI,o=NXP" (Invalid credentials) > Aug 19 11:29:21 hpdw0001 sshd[5492]: Failed password for nxp21358 from > 92.120.72.67 port 44131 ssh2 > > Now, If I use another system with an identical ldap setup, I *can* login > with the nxp21358 account.... > I probably have forgotten something to edit, but I don't see what ... >
"Invalid credentials" sounds like exactly what it is. You entered the wrong password. First, verify that the user in LDAP really is "cn=nxp21358,ou=Personal,ou=People,ou=NXDI,o=NXP". After that, try using ldapsearch to bind to that user from either machine with a command like: ldapsearch -ZZ -x -H ldap://ldap.xxx.yyy.zzz -b ou=NXDI,o=NXP \ - -D cn=nxp21358,ou=Personal,ou=People,ou=NXDI,o=NXP \ - -W cn=nxp21358 If that works on both systems, then my best guess is that you probably don't have your client code set up to use STARTTLS when sending the password, and your server denies binding without encryption. Please note, this is not the right forum for pam_ldap questions. We're trying to replace pam_ldap, after all :) I think your real problem here is that you're trying to configure both pam_ldap and SSSD together, and they are not designed to operate together. It would be much wiser to get away from pam_ldap entirely. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxtH+wACgkQeiVVYja6o6PeywCgj87oqXWA/teVkcUTzjifVuAm Y5wAn3CfacRL4UiFWtM+oCX/ExJanOyi =YsrX -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
