Re: pam_ldap

From: Thomas Cameron (thomas.cameron_at_camerontech.com)
Date: 04/05/05

  • Next message: Matt Morgan: "Re: ssh in bash script" 
    To: Jon Thompson <coldsnap@gmail.com>, For users of Fedora Core releases <fedora-list@redhat.com>
Date: Tue, 05 Apr 2005 10:19:49 -0500

    On Tue, 2005-04-05 at 10:30 -0400, Jon Thompson wrote:
    > > Ok: I have a RHEL 3.0 box and a Fedora Core 3. I am using pam_ldap
    > > for system authentication. They have the exact same configuration
    > > files and parameters. I copied the files from the working box to the
    > > malfunctioning system. I can execute getent passwd and see all of the
    > > user names that are available through ldap. However, when I try and
    > > login it fails. When I try and su to a vlaid user I get an 'incorrect
    > > password' error. I have tcpdumped the traffic and watched the logs on
    > > teh ldap server, the system is connecting and there has been no
    > > failure due to acls. However, when I run debug withe the pam module I
    > > get a pam_ldap: simple bind failure. Has anyone else come across
    > > anything like this?
    > >
    > > Thanks,
    > >
    > > Jon
    >
    > Yes, I am fighting an LDAP issue right now with RHEL 3. Can you give a
    > little more info? What LDAP server are you trying to authenticate against?
    >
    > Openldap 2.2.6
    >
    >
    > Also, what version of nss_ldap are you using?
    >
    > RHEL 3 nss_ldap 207-11
    > Fedora nss_ldap 220-3
    >
    >
    > The interesting thing is that it works without issue when I am not
    > using SSL. It will retrieve user inforamtion and authenticate against
    > LDAP while not utilizing SSL. Whenever, I enable SSL the password
    > authentication portion dies while the getent still works.

    Be very careful - I tried to use the FC nss_ldap and was told by RH paid
    support that it was not compatible and could not be made compatible with
    RHEL 3.

    We've been fighting this issue with RHEL since January 31st and we just
    came to some sort of conclusion yesterday.

    Thomas 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Matt Morgan: "Re: ssh in bash script"

    Relevant Pages

    • Re: LDAP authentication security ?
      ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ... If you need SSL, AD supports SSL LDAP just fine, assuming you get a certificate for your domain controllers. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
      (microsoft.public.windows.server.security)
    • Re: How to add an extra password field to an AD?
      ... that the device in question uses a standard LDAP bind to do LDAP ... you can't change how bind authentication works. ... SSL cannot be used here since the protocol being used does not have an SSL ... My concern is not the LDAP traffic between the service server and the LDAP ...
      (microsoft.public.windows.server.active_directory)
    • Re: DirectoryEntry.NativeObject slow with ASP.Net, but fast in exe
      ... Ah, you are using SSL. ... account doesn't have a client certificate available that the server trusts. ... have a schema caching issue that is causing ADSI to download the LDAP schema ... >> Note that the ADSI approach to authentication doesn't really scale well. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Directory Services, LDAP or similar
      ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
      (borland.public.delphi.non-technical)
    • Re: noob on slapd with sasl errors
      ... If I may share advice based on my own trials & tribulations with LDAP ... people who need network authentication and the current state of ... context of network authentication, LDAP really is just a protocol used ... I have no idea how sasl works and why it is needed here, or even more, ...
      (Ubuntu)