Login failure after successful PAM LDAP authentication

John Lane John.Lane at royalblue.com
Mon Oct 25 04:10:14 PDT 2004


I am working on an implementation of LDAP for user authentication. 
I have installed openldap, pam_ldap and nss_ldap.

I am having trouble getting a new user to successfully log on.

First, using "login" (i.e. on a console), I attempt to log in using a 
username that I know is only defined within openldap (it is not in 
/etc/passwd, or elsewhere). The authentication of this user name is 
successful (I know this because entering the wrong password gives rise 
to 'login incorrect' whereas the correct password does not).

Instead of running up the shell "/bin/bash" (defined in openldap), all
 that happens is I get returned to the login prompt.

I have performed some experiments, including defining the username in
/etc/passwd. (I just set up username, uid, gid, home and shell). No 
password is defined in /etc/passwd and the user isn't even mentioned in
/etc/shadow. Now, logging in still authenticates the user via openldap 
(I use the same known password) and this time I get a shell prompt.

It seems that part of the process is using ldap whereas part of it is
not. My /etc/pam.d/login config is in line with all of the examples I
can find via Google.

I performed similar experiments with "su". Attempting an "su" with the
username that is defined only in openldap comes back with an invalid
user id message and the su fails. I have full ldap logging enabled and 
see no ldap activity (/var/log/local4.log) and nothing is written to the 
auth log (/var/log/auth.log). Attempting to "su" a user that is in 
/etc/passwd does cause interaction with the ldap server. Again, adding 
the user to /etc/passwd only allows the ldap authentication to work and 
the su to succeed.

I think there is some kind of caching going on somewhere but I don't know 
where to look. There is precious little else installed on this server 
(it is just "lfs 5.1" with the necessary items to implement ldap 

Any help would be appreciated. I can post configs / logs etc that
are appropriate.

Thanks in advance,
John Lane

This message is intended only for the stated addressee(s) and
may be confidential.  Access to this email by anyone else is
unauthorised. Any opinions expressed in this email do not
necessarily reflect the opinions of royalblue. Any unauthorised
disclosure, use or dissemination, either whole or in part is
prohibited. If you are not the intended recipient of this message,
please notify the sender immediately.

More information about the blfs-support mailing list