Login failure after successful PAM LDAP authentication
remco at d-compu.dyndns.org
Mon Oct 25 05:22:52 PDT 2004
John Lane wrote:
> I am working on an implementation of LDAP for user authentication.
> I have installed openldap, pam_ldap and nss_ldap.
> I am having trouble getting a new user to successfully log on.
> First, using "login" (i.e. on a console), I attempt to log in using a
> username that I know is only defined within openldap (it is not in
> /etc/passwd, or elsewhere). The authentication of this user name is
> successful (I know this because entering the wrong password gives rise
> to 'login incorrect' whereas the correct password does not).
> Instead of running up the shell "/bin/bash" (defined in openldap), all
> that happens is I get returned to the login prompt.
> I have performed some experiments, including defining the username in
> /etc/passwd. (I just set up username, uid, gid, home and shell). No
> password is defined in /etc/passwd and the user isn't even mentioned in
> /etc/shadow. Now, logging in still authenticates the user via openldap
> (I use the same known password) and this time I get a shell prompt.
I'm not using LDAP for authentication but this may help anyway:
The nss_ldap package may need to be (re-)configured.
To be able to retrieve /etc/passwd (and /etc/group) information from LDAP
using nss_ldap you need to set up /etc/nsswitch.conf and /etc/ldap.conf.
(ldap.conf may also reside elsewhere, e.g.: /etc/openldap/ldap.conf)
/etc/nsswitch.conf should contain "ldap" for passwd (and group) look ups:
/etc/ldap.conf should contain the LDAP paths to your user/group information:
/etc/nsswitch.conf additions - begin
passwd: files ldap
group: files ldap
/etc/nsswitch.conf additions - end
/etc/ldap.conf additions - begin
/etc/ldap.conf additions - end
nss_base_passwd (/etc/passwd in LDAP) => should point to the place in LDAP
where you store your user information
nss_base_group (/etc/group in LDAP) => should point to the place in LDAP
where you store your group information
There are a other options for nss_ldap in ldap.conf but I think they are
described in a ldap.conf example in the nss_ldap package tar ball.
Correct working of nss_ldap can be checked by doing "getent passwd" and
"getent group". This should return all user and group information from the
sources defined in nsswitch.conf.
If nsswitch has sources "files" and "ldap" defined as in this example,
"getent passwd" should return user information from both /etc/passwd and
LDAP, and "getent group" should return group information from
both /etc/group and LDAP.
Since you say your authentication via LDAP is working and user information
is present in LDAP, I think the passwd / group related lines in ldap.conf
and nsswitch.conf should be checked.
More information about the blfs-support