pam_ldap - second part

[eyalm]

Hi guys,
I'm tryint to authenticate with pam_ldap against my openldap
I reinstalled scalix, I got sxpamauth working:

Code: Select all

[root@scalix pam.d]# sxpamauth -vvv marantenboim
pam_start_om("pamcheck", "marantenboim")
pam_authenticate()
Password:
pam_acct_mgmt()

Authenticated


and sxpampasswd:

Code: Select all

[root@scalix pam.d]# sxpampasswd -vvv marantenboim
pam_start_om("pamcheck", "marantenboim")
pam_chauthtok()
AUTHTOK not set
OLDAUTHTOK not set
Enter login(LDAP) password:
AUTHTOK not set
OLDAUTHTOK set
New password:
AUTHTOK not set
OLDAUTHTOK set
Re-enter new password:
AUTHTOK not set
OLDAUTHTOK set
LDAP password information changed for eyalm

Password changed


But when I'm trying to login from the web I'm getting this in my slapd.log:

Jun 8 16:50:24 data slapd[1818]: conn=533 fd=20 ACCEPT from IP=10.1.1.33:40383 (IP=0.0.0.0:389)
Jun 8 16:50:24 data slapd[1818]: conn=533 op=0 BIND dn="" method=128
Jun 8 16:50:24 data slapd[1818]: conn=533 op=0 RESULT tag=97 err=0 text=
Jun 8 16:50:24 data slapd[1818]: conn=533 op=1 SRCH base="dc=cardonhealthcare,dc=com" scope=2 deref=0 filter="(uid=eyalm)"
Jun 8 16:50:24 data slapd[1818]: conn=533 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 8 16:50:24 data slapd[1818]: conn=533 op=2 BIND dn="cn=Eyal Marantenboim,ou=people,ou=houston,ou=Internal,dc=cardonhealthcare,dc=com" method=128
Jun 8 16:50:24 data slapd[1818]: conn=533 op=2 BIND dn="cn=Eyal Marantenboim,ou=people,ou=houston,ou=Internal,dc=cardonhealthcare,dc=com" mech=SIMPLE ssf=0
Jun 8 16:50:24 data slapd[1818]: conn=533 op=2 RESULT tag=97 err=0 text=
Jun 8 16:50:24 data slapd[1818]: conn=533 op=3 BIND anonymous mech=implicit ssf=0
Jun 8 16:50:24 data slapd[1818]: conn=533 op=3 BIND dn="" method=128
Jun 8 16:50:24 data slapd[1818]: conn=533 op=3 RESULT tag=97 err=0 text=
Jun 8 16:50:24 data slapd[1818]: conn=533 op=4 UNBIND
Jun 8 16:50:24 data slapd[1818]: conn=533 fd=20 closed
Jun 8 16:50:24 data slapd[1818]: conn=534 fd=20 ACCEPT from IP=10.1.1.33:40384 (IP=0.0.0.0:389)
Jun 8 16:50:24 data slapd[1818]: conn=534 op=0 BIND dn="" method=128
Jun 8 16:50:24 data slapd[1818]: conn=534 op=0 RESULT tag=97 err=0 text=
Jun 8 16:50:24 data slapd[1818]: conn=534 op=1 SRCH base="dc=cardonhealthcare,dc=com" scope=2 deref=0 filter="(uid=marantenboim\1Deyal\1D\1D\1Dscalix\1Dcardon\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\17eyal marantenboim)"
Jun 8 16:50:24 data slapd[1818]: conn=534 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jun 8 16:50:24 data slapd[1818]: conn=534 op=2 UNBIND
Jun 8 16:50:24 data slapd[1818]: conn=534 fd=20 closed

And I can't login: I'm getting: 'The username or password is incorrect'


Here is my pamcheck:

Code: Select all

auth    required om_om2authid
auth    required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

Here is my ual.remote:

auth required om_om2authid
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

Thanks,
Eyal.

[ggreenaway]

I ran into this problem too, turns out I didnt have all the required entries in my LDAP tree. This post helped.
http://www.scalix.com/community/viewtop ... hlight=fc4

[eyalm]

But that explains how to use with om_ldap. I had that working fine, but now I switched to pam_ldap and it's not working.

any ideas?

[hughesjr]

Jun 8 16:50:24 data slapd[1818]: conn=534 op=1 SRCH base="dc=cardonhealthcare,dc=com" scope=2 deref=0 filter="(uid=marantenboim\1Deyal\1D\1D\1Dscalix\1Dcardon\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\1D\17eyal marantenboim)"

Anyone that has this error (the \1D\1D stuff) ....

I had the same error on CentOS and I needed to install openldap-clients on the scalix server ... then authentication from pam_ldap on a different ldap server started working and the \1D\1D stuff went away.

Somehow the package nss_ldap (which contains nss_ldap and pam_ldap) will install without openldap-clients ... and it seems that when scalix does the authentication it needs one of the tools (probably ldapsearch) that openldap-clients provides.

Hope this helps someone