On Jun 7, 2010, at 3:50 AM, Buchan Milne wrote: > Sure, but are you sure ldapsearch and pam_ldap are using the same password? > If > you *think* so, maybe you should check with a packet capture ...
I did, and found that pam_ldap had altered the password prior to submittal. It turns out that for what it perceives as invalid user ids, it changes the password hash to 'INCORECT', mis-spelling and all. There was a problem with nsswitch/nscd which when resolved, the userid was valid and ldap worked fine. This is hardly useful behavior. I fail to understand why this particular approach is taken. Also on the other hand, comparing the logs I showed indicates that more logging would really help identify the problem. The failed BIND attempt is not logged, even at debug level 9, which is part of what confuses a person trying to understand the problem. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
