[CentOS] LDAP / PAM -- Invalid Credentials Error

Von Landfried centos.list at eyestreet.com
Thu Sep 20 15:23:56 UTC 2007


Thank you for you response, but I might not have been clear in my  
original email.

All of the other servers (servers[1-9]) are working properly, i.e.  
the user 'testuser' is able to log in using the password I set, and  
is able to change the password using passwd, among other things of  
course. So because of this, I assume LDAP is working properly.

My question is why can't 'testuser' log into the actual LDAP server?  
There must be some configuration difference, but I just can't find it.

I obviously would not change /etc/pam.d/system-auth manually, I would  
use 'authconfig' to make any changes. I already turned off WINBIND  
and that did nothing to fix it. Unless something has to be restarted,  
(other than ldap, sshd) then this wasn't the cause.

The /etc/ldap.conf is configured properly, on all machines, which is  
why I assume the user is able to log into the other 9 servers.

These are CentOS 4.5 servers, so they are running openldap-2.2.13-7.4E

Running 'getend passwd' (didn't know that command, thanks for that  
one) shows the user, so I assume the password is correctly setup  
(kinda already knew that since he can log into all other machines)

I will keep trying, and will read through the documentation.



On Sep 19, 2007, at 11:00 PM, Craig White wrote:

> you can't bind as a user that doesn't have a password
>
> you don't have users until you have configured /etc/ldap.conf properly
>
> 1 - use 'system-config-authentication' and don't
> edit /etc/pam.d/system-auth
>     uncheck Windows authentication and winbindd goes away
>
> 2 - edit /etc/ldap.conf to properly match your ldap setup, when you  
> get
> it
>     set up properly, the command 'getent passwd' will first list the
>     contents of /etc/passwd and then list whatever you have setup for
>     nss_base_passwd in /etc/ldap.conf
>
> 3 - you really need better understanding of LDAP...try a book
>
>    I'll recommend a really old one but really good for basic LDAP
> knowledge...
>    LDAP System Administration by Gerald Carter
>
>    or
>
> OpenLDAP v 2.3 (included with CentOS-5)
> http://www.openldap.org/doc/admin23/
>
> OpenLDAP v 2.2 (included with CentOS-4)
> http://www.openldap.org/doc/admin22/
>
> a hint here...you don't say whether you're using CentOS-4 or CentOS-5
>
> man ldap.conf # refers to ldap.conf supplied by openldap - the file
> located at /etc/openldap/ldap.conf and man 8 ldap.conf (CentOS-4 IIRC)
> or man pam_ldap (CentOS-5) refers to /etc/ldap.conf (supplied as  
> part of
> padl's nss)
>
> good luck
>
> Craig
>
> On Wed, 2007-09-19 at 18:19 -0400, Von Landfried wrote:
>> Hello,
>>
>> I am having a small issue with LDAP, and I hope someone here might be
>> able to provide a few tips.
>>
>> I am unable to authenticate as user 'testuser' on server 'storage'
>> and the following errors appear in /var/log/messages on server  
>> 'storage'
>>
>> 	Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user  
>> unknown
>> 	Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1
>> 	Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind
>> as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid
>> credentials)
>>
>> I am also unable to issue this command:
>>
>> 	# passwd testuser
>> 	passwd: Unknown user name 'testuser'.
>>
>> but this command works fine:
>>
>> 	# finger testuser
>> 	Login: testuser                            Name: Test User
>> 	Directory: /home/testuser                  Shell: /bin/bash
>> 	Never logged in.
>> 	No mail.
>> 	No Plan.
>>
>> The server 'storage' is the LDAP host server, and there are about 9
>> other servers configured to use 'storage' to authenticate users. All
>> 9 of them allow 'testuser' to login and also for him to change his
>> password.
>>
>> Issuing this command:
>>
>> # ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local'
>> '(objectclass=*)'
>>
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # testuser, People, example.local
>> dn: uid=testuser,ou=People,dc=example,dc=local
>> uid: testuser
>> cn: Sean Cook
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 547
>> gidNumber: 500
>> homeDirectory: /home/testuser
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> I think the issue might be with PAM, because comparing all files I
>> can think of doesnt point me to any differences except /etc/pam.d/
>> system-auth
>>
>> The LDAP server 'storage' has WINBIND turned on, as follows:
>>
>> auth        required      /lib/security/$ISA/pam_env.so
>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth  
>> nullok
>> auth        sufficient    /lib/security/$ISA/pam_ldap.so  
>> use_first_pass
>> auth        sufficient    /lib/security/$ISA/pam_winbind.so
>> use_first_pass
>> auth        required      /lib/security/$ISA/pam_deny.so
>>
>> account     required      /lib/security/$ISA/pam_unix.so  
>> broken_shadow
>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
>> 100 quiet
>> account     [default=bad success=ok user_unknown=ignore] /lib/
>> security/$ISA/pam_ldap.so
>> account     [default=bad success=ok user_unknown=ignore] /lib/
>> security/$ISA/pam_winbind.so
>> account     required      /lib/security/$ISA/pam_permit.so
>>
>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>> password    sufficient    /lib/security/$ISA/pam_winbind.so  
>> use_authtok
>> password    required      /lib/security/$ISA/pam_deny.so
>>
>> session     required      /lib/security/$ISA/pam_limits.so
>> session     required      /lib/security/$ISA/pam_unix.so
>> session     optional      /lib/security/$ISA/pam_ldap.so
>>
>>
>> And the server 'phoenix' (which allows 'testuser' to login fine) does
>> not;
>>
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      /lib/security/$ISA/pam_env.so
>> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth  
>> nullok
>> auth        sufficient    /lib/security/$ISA/pam_ldap.so  
>> use_first_pass
>> auth        required      /lib/security/$ISA/pam_deny.so
>>
>> account     required      /lib/security/$ISA/pam_unix.so  
>> broken_shadow
>> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid <
>> 100 quiet
>> account     [default=bad success=ok user_unknown=ignore] /lib/
>> security/$ISA/pam_ldap.so
>> account     required      /lib/security/$ISA/pam_permit.so
>>
>> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>> password    required      /lib/security/$ISA/pam_deny.so
>>
>> session     required      /lib/security/$ISA/pam_limits.so
>> session     required      /lib/security/$ISA/pam_unix.so
>> session     optional      /lib/security/$ISA/pam_ldap.so
>>
>>
>> I tried disabling WINBIND but the issue still occurs even after
>> restarting ldap and sshd.
>>
>> Please help!!
>>
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list