Login failure after successful PAM LDAP authentication

Remco remco at d-compu.dyndns.org
Mon Oct 25 05:22:52 PDT 2004

John Lane wrote:

> Hello,
> I am working on an implementation of LDAP for user authentication.
> I have installed openldap, pam_ldap and nss_ldap.
> I am having trouble getting a new user to successfully log on.
> First, using "login" (i.e. on a console), I attempt to log in using a
> username that I know is only defined within openldap (it is not in
> /etc/passwd, or elsewhere). The authentication of this user name is
> successful (I know this because entering the wrong password gives rise
> to 'login incorrect' whereas the correct password does not).
> Instead of running up the shell "/bin/bash" (defined in openldap), all
>  that happens is I get returned to the login prompt.
> I have performed some experiments, including defining the username in
> /etc/passwd. (I just set up username, uid, gid, home and shell). No
> password is defined in /etc/passwd and the user isn't even mentioned in
> /etc/shadow. Now, logging in still authenticates the user via openldap
> (I use the same known password) and this time I get a shell prompt.

I'm not using LDAP for authentication but this may help anyway:

The nss_ldap package may need to be (re-)configured.

To be able to retrieve /etc/passwd (and /etc/group) information from LDAP
using nss_ldap you need to set up /etc/nsswitch.conf and /etc/ldap.conf.
(ldap.conf may also reside elsewhere, e.g.: /etc/openldap/ldap.conf)

/etc/nsswitch.conf should contain "ldap" for passwd (and group) look ups:
/etc/ldap.conf should contain the LDAP paths to your user/group information:


/etc/nsswitch.conf additions - begin

passwd:     files ldap
group:      files ldap

/etc/nsswitch.conf additions - end

/etc/ldap.conf  additions - begin

base dc=your,dc=domain,dc=org

uri ldap://ldap.your.domain.org

nss_base_passwd ou=Staff,dc=your,dc=domain,dc=org
nss_base_group  ou=Group,dc=your,dc=domain,dc=org

/etc/ldap.conf  additions - end

nss_base_passwd (/etc/passwd in LDAP) => should point to the place in LDAP
where you store your user information
nss_base_group (/etc/group in LDAP) => should point to the place in LDAP
where you store your group information

There are a other options for nss_ldap in ldap.conf but I think they are
described in a ldap.conf example in the nss_ldap package tar ball.

Correct working of nss_ldap can be checked by doing "getent passwd" and
"getent group". This should return all user and group information from the
sources defined in nsswitch.conf.

If nsswitch has sources "files" and "ldap" defined as in this example,
"getent passwd" should return user information from both /etc/passwd and
LDAP, and "getent group" should return group information from
both /etc/group and LDAP.

Since you say your authentication via LDAP is working and user information
is present in LDAP, I think the passwd / group related lines in ldap.conf
and nsswitch.conf should be checked.

More information about the blfs-support mailing list