On Tue, 2005-04-05 at 10:19 -0500, Thomas Cameron wrote: > On Tue, 2005-04-05 at 10:30 -0400, Jon Thompson wrote: > > > Ok: I have a RHEL 3.0 box and a Fedora Core 3. I am using pam_ldap > > > for system authentication. They have the exact same configuration > > > files and parameters. I copied the files from the working box to the > > > malfunctioning system. I can execute getent passwd and see all of the > > > user names that are available through ldap. However, when I try and > > > login it fails. When I try and su to a vlaid user I get an 'incorrect > > > password' error. I have tcpdumped the traffic and watched the logs on > > > teh ldap server, the system is connecting and there has been no > > > failure due to acls. However, when I run debug withe the pam module I > > > get a pam_ldap: simple bind failure. Has anyone else come across > > > anything like this? > > > > > > Thanks, > > > > > > Jon > > > > Yes, I am fighting an LDAP issue right now with RHEL 3. Can you give a > > little more info? What LDAP server are you trying to authenticate against? > > > > Openldap 2.2.6 > > > > > > Also, what version of nss_ldap are you using? > > > > RHEL 3 nss_ldap 207-11 > > Fedora nss_ldap 220-3 > > > > > > The interesting thing is that it works without issue when I am not > > using SSL. It will retrieve user inforamtion and authenticate against > > LDAP while not utilizing SSL. Whenever, I enable SSL the password > > authentication portion dies while the getent still works. > > Be very careful - I tried to use the FC nss_ldap and was told by RH paid > support that it was not compatible and could not be made compatible with > RHEL 3. > > We've been fighting this issue with RHEL since January 31st and we just > came to some sort of conclusion yesterday. ---- 1 - are you sure you are using SSL and not TLS ? 2 - logs? suggest that you have a sufficient log level (256 is good but I don't think that handles ssl routines) also, a local4 entry in syslog.conf can direct openldap logs to a separate file. Craig
