Login failure after successful PAM LDAP authentication
lfs at jelmail.com
Mon Oct 25 16:54:00 PDT 2004
Thank you. Pointing me at "getent" helped me get to the bottom if it.
There's an error in the "Makefile" for nss_ldap-226. It does a "tail -1"
where it should be "tail -n 1" and this caused the library
/lib/libnss_ldap-2.3.3.so to be incorrectly installed as
Anyway, it's now working so thanks again.
"Remco" <remco at d-compu.dyndns.org> wrote in message
news:clir79$58h$1 at belgarath.linuxfromscratch.org...
> John Lane wrote:
> > Hello,
> > I am working on an implementation of LDAP for user authentication.
> > I have installed openldap, pam_ldap and nss_ldap.
> > I am having trouble getting a new user to successfully log on.
> > First, using "login" (i.e. on a console), I attempt to log in using a
> > username that I know is only defined within openldap (it is not in
> > /etc/passwd, or elsewhere). The authentication of this user name is
> > successful (I know this because entering the wrong password gives rise
> > to 'login incorrect' whereas the correct password does not).
> > Instead of running up the shell "/bin/bash" (defined in openldap), all
> > that happens is I get returned to the login prompt.
> > I have performed some experiments, including defining the username in
> > /etc/passwd. (I just set up username, uid, gid, home and shell). No
> > password is defined in /etc/passwd and the user isn't even mentioned in
> > /etc/shadow. Now, logging in still authenticates the user via openldap
> > (I use the same known password) and this time I get a shell prompt.
> I'm not using LDAP for authentication but this may help anyway:
> The nss_ldap package may need to be (re-)configured.
> To be able to retrieve /etc/passwd (and /etc/group) information from LDAP
> using nss_ldap you need to set up /etc/nsswitch.conf and /etc/ldap.conf.
> (ldap.conf may also reside elsewhere, e.g.: /etc/openldap/ldap.conf)
> /etc/nsswitch.conf should contain "ldap" for passwd (and group) look ups:
> /etc/ldap.conf should contain the LDAP paths to your user/group
> /etc/nsswitch.conf additions - begin
> passwd: files ldap
> group: files ldap
> /etc/nsswitch.conf additions - end
> /etc/ldap.conf additions - begin
> base dc=your,dc=domain,dc=org
> uri ldap://ldap.your.domain.org
> nss_base_passwd ou=Staff,dc=your,dc=domain,dc=org
> nss_base_group ou=Group,dc=your,dc=domain,dc=org
> /etc/ldap.conf additions - end
> nss_base_passwd (/etc/passwd in LDAP) => should point to the place in LDAP
> where you store your user information
> nss_base_group (/etc/group in LDAP) => should point to the place in LDAP
> where you store your group information
> There are a other options for nss_ldap in ldap.conf but I think they are
> described in a ldap.conf example in the nss_ldap package tar ball.
> Correct working of nss_ldap can be checked by doing "getent passwd" and
> "getent group". This should return all user and group information from the
> sources defined in nsswitch.conf.
> If nsswitch has sources "files" and "ldap" defined as in this example,
> "getent passwd" should return user information from both /etc/passwd and
> LDAP, and "getent group" should return group information from
> both /etc/group and LDAP.
> Since you say your authentication via LDAP is working and user information
> is present in LDAP, I think the passwd / group related lines in ldap.conf
> and nsswitch.conf should be checked.
More information about the blfs-support