[LDAP-interop] Re: Permission denied.

John Li john.li at mindspeed.com
Tue Jun 13 17:40:53 EDT 2006 

I read another thread from January 2006 archives by Davi Martini.  His 
'unable to login to a  RH ldap client'
problem is the same as my problem.  I did verify that I'm using LDAP for 
authentication from authconfig tool.
So his solution won't work for me.

My /etc/ldap.conf looks like below,  (following Gary Tay's document)

host ldap1.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=proxyagent,ou=profile,dc=example,dc=com
bindpw secret
rootbinddn cn=Manager,dc=example,dc=com
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group          ou=group,dc=example,dc=com?one
nss_base_netgroup       ou=netgroup,dc=example,dc=com?one
#ssl on
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacert.pem

On the RH client, I'm able to su - sysmgr,  the automount works for fine 
for sysmgr.

If the problem is on the RH client side,  please provide me some options 
to trouble shoot
this one.

Best regards,





John Li wrote:

> Hi All,
>
> I'm trying to set up an openldap environment, but getting this 
> 'Permission denied.' when
> trying to remotely login to a ldap client,  using ssh, telnet, 
> rlogin.   I'm having this problem only
> when try to login to a RH openldap client.   I'm able to login, using 
> ssh, telnet, to a solaris openldap
> client, using the same ldap account. 
> Please see detail below,
>
> My openldap envirnoment,
>
> openldap server,
>   RHFC3
>   openldap-servers-2.2.13-2
>   nss_ldap-220-3
>   openssh-3.9p1-7
>   pam-0.77-65
>
> openldap client #1
>   solaris 5.8
>
> openldap client #2
>   RHFC3
>   openldap-servers-2.2.13-2
>   nss_ldap-220-3
>   openssh-3.9p1-7
>   pam-0.77-65
>
> Below is the system-auth file on the RHFC3 ldap client,
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 
> 100 quiet
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_ldap.so
> account     required      /lib/security/$ISA/pam_permit.so
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
> use_authtok
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
>
> Below is ldap.log file.
>
> Jun 13 09:57:08 ldap1 slapd[15436]: conn=4123 op=6 SEARCH RESULT 
> tag=101 err=0 nentries=1 text=
> Jun 13 09:57:08 ldap1 slapd[15436]: conn=4130 fd=23 ACCEPT from 
> IP=10.1.4.51:33899 (IP=0.0.0.0:389)
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=1 BIND 
> dn="cn=Manager,dc=example,dc=com" method=128
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=1 BIND 
> dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=1 RESULT tag=97 err=0 
> text=
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=2 SRCH 
> base="ou=People,dc=example,dc=com" scope=1 deref=0 filter="(&(
> objectClass=posixAccount)(uid=sysmgr))"
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=2 SEARCH RESULT 
> tag=101 err=0 nentries=1 text=
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=3 BIND anonymous 
> mech=implicit ssf=0
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=3 BIND 
> dn="uid=sysmgr,ou=People,dc=example,dc=com" method=128
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=3 RESULT tag=97 
> err=49 text=
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=4 BIND 
> dn="cn=Manager,dc=example,dc=com" method=128
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=4 BIND 
> dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
> Jun 13 09:57:09 ldap1 slapd[15436]: conn=4130 op=4 RESULT tag=97 err=0 
> text=
> Jun 13 09:57:11 ldap1 slapd[15436]: conn=4130 op=5 UNBIND
> Jun 13 09:57:11 ldap1 slapd[15436]: conn=4130 fd=23 closed
>
> I understand the err=49 is possibly related to a wrong passwd for the 
> account, (sysmgr in this case).
> But I know my password is correct, since I used the same account and 
> passwd to successfully
> login to the solaris ldap client which is also setup for PAM, ldap 
> authentication.
>
> I'm out of ideas on how to identify the problem,  any help would be 
> greatly appreicated...
>
> Best regards,
>
>
>
>
>
>
>
>
>
>
>

More information about the LDAP-interop mailing list