I am trying to set up NSS and PAM to use LDAP. NSS appears to be working but PAM does not.
The LDAP service is up and running, and I can log into other (Gentoo) systems which use this LDAP instance for NSS and PAM. Local use of ldapsearch also works fine and I can bind as any of the users I have set up with the appropriate password.
The ONLY system on my network that is failing to properly use the LDAP service with PAM is the server itself.
Oh, id <username> and getent passwd both return good results. I can also su - <username> with good results. I just can't login via ssh.
Here are the config files. Let me know if you need more.
/etc/ldap.conf, /etc/libnss-ldap.conf, /etc/pam_ldap.conf
- Code: Select all
host 192.168.20.3
base dc=heidewexell,dc=net
ldap_version 3
#binddn cn=admin,dc=heidewexell,dc=net
#bindpw dfLK.,.,
pam_password md5
/etc/ldap/slapd.conf
- Code: Select all
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=heidewexell,dc=net"
directory "/var/lib/ldap"
index objectClass eq
lastmod on
access to attrs=userPassword
by dn="cn=admin,dc=heidewexell,dc=net" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=heidewexell,dc=net" write
by * read
/etc/nsswitch.conf
- Code: Select all
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/pam.d/common-*
- Code: Select all
account sufficient pam_ldap.so debug
account required pam_unix.so
account required pam_access.so
auth required pam_env.so
auth sufficient pam_ldap.so debug
auth sufficient pam_unix.so try_first_pass
auth required pam_deny.so
password required pam_cracklib.so retry=3
password sufficient pam_ldap.so debug
password sufficient pam_unix.so debug try_first_pass nullok md5 shadow use_authtok nis
password required pam_deny.so
session required pam_unix.so
/var/log/auth.log
Oct 18 12:14:31 dorval slapd[30657]: <= bdb_equality_candidates: (uid) index_param failed (18)
Oct 18 12:14:31 dorval slapd[30657]: conn=85 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Oct 18 12:14:31 dorval slapd[30657]: conn=85 op=2 BIND dn="uid=bob,ou=People,dc=heidewexell,dc=net" method=128
Oct 18 12:14:31 dorval slapd[30657]: conn=85 op=2 RESULT tag=97 err=49 text=[/code]