I've enabled compile-time debug flags, to no avail.
I did some troubleshooting for several hours last night and discovered
something interesting -- the LDAP server is responding with a SUCCESS
message to the bind request, but PAM (for whatever reason) is still
denying my login request.
Here's the output of a sniffer capture between the client and the LDAP server:
bindResponse
resultCode: success (0)
The /var/log/auth.log file indicates the following:
==> auth.log <==
Nov 3 06:24:00 [email protected] sshd[11393]: error: PAM:
Authentication failure for illegal user tb from 10.9.3.153
Nov 3 06:24:00 [email protected] sshd[11393]: Failed
keyboard-interactive/pam for invalid user tb from 10.9.3.153 port
56665 ssh2
Nov 3 06:24:00 [email protected] sshd[11396]:
pam_tally2(sshd:auth): pam_get_uid; no such user
My /etc/pam.d/system-auth file is pretty much verbatim what is listed here:
http://www.gentoo.org/doc/en/ldap-howto.xml
Also, my /etc/nsswitch.conf file has "files" and "ldap" in the
appropriate places.
passwd: files ldap
shadow: files ldap
group: files ldap
Thoughts would be greatly appreciated -- I'm almost there! I just need
to figure out why PAM isn't playing nice with LDAP authentication.
-james
I'm so close I can taste it. :) Any thoughts or ideas on how to fix
this would be greatly appreciated.
On Fri, Nov 5, 2010 at 20:06, Ward Poelmans <[email protected]> wrote:
> On Fri, Nov 5, 2010 at 20:46, James <[email protected]> wrote:
>> The logdir is filled with empty files that, in the name of the file,
>> has the pid of the pam process. However, these files are empty and
>> they do not have anything in them.
>>
>> Thoughts?
>
> Try putting the compile time debugging options on?
>
> Ward
