[CentOS] LDAP / PAM -- Invalid Credentials Error

Thu Sep 20 18:14:22 UTC 2007
Craig White <craig at tobyhouse.com>

On Thu, 2007-09-20 at 11:23 -0400, Von Landfried wrote:
> Thank you for you response, but I might not have been clear in my  
> original email.
> All of the other servers (servers[1-9]) are working properly, i.e.  
> the user 'testuser' is able to log in using the password I set, and  
> is able to change the password using passwd, among other things of  
> course. So because of this, I assume LDAP is working properly.
> My question is why can't 'testuser' log into the actual LDAP server?  
> There must be some configuration difference, but I just can't find it.
did you check /var/log/secure on that system? That should log
authentication failures/successes.

remember, each machine must make it's own connection to ldap and each
system has it's
own /etc/ldap.conf, /etc/openldap/ldap.conf, /etc/nsswitch.com
and /etc/pam.d/system-auth files
> I obviously would not change /etc/pam.d/system-auth manually, I would  
> use 'authconfig' to make any changes. I already turned off WINBIND  
> and that did nothing to fix it. Unless something has to be restarted,  
> (other than ldap, sshd) then this wasn't the cause.
winbindd would only slow things up - especially if improperly

also, it's a good idea to make sure nscd is stopped - at the very least,
stopped until everything is working properly.
> The /etc/ldap.conf is configured properly, on all machines, which is  
> why I assume the user is able to log into the other 9 servers.
> These are CentOS 4.5 servers, so they are running openldap-2.2.13-7.4E
> Running 'getend passwd' (didn't know that command, thanks for that  
> one) shows the user, so I assume the password is correctly setup  
> (kinda already knew that since he can log into all other machines)
getent passwd
getent group

very important on systems with system users in /etc/passwd and network
users in ldap since it gives you the hybrid.

very important also to not have a user in both /etc/passwd and ldap as
that would surely cause confusion
> I will keep trying, and will read through the documentation.
good luck

Craig White <craig at tobyhouse.com>