[LDAP-interop] Re: Permission denied.

john.li at mindspeed.com john.li at mindspeed.com
Thu Jun 22 12:26:53 EDT 2006 

Hi Gary,

Thanks for the reply.   I did figure out what my problem was.    Here is
the story,

The issue/problem,   I was able to log in to a solaris openldap client.
But keep getting
this 'Permission denied'  when trying to log in to a RHFC3 client.   Please
note that I was using
a specific account and password to log in.   The ldap log file shows

 slapd[25606]: conn=1241 op=0 RESULT tag=97 err=49

>From prior experience,  I knew that error 49 means ldap didn't like the
password the I entered.  But the password
was just fine when log in to a solaris client.

The solution,   To make the story short, I finally realized that the
crpyted passwd that I generated
using the command,

perl -e "print crypt('whatever','salt_string');"

was not consistent if the 'salt_string' was longer than 2 chars.
Therefore, the crypted password
for the account is ONLY valid for the platform where I run the perl command
to generate the password.
After using a two char salt to generated the crypt password for the
account,  I'm able to login to both
solaris and linux clients.  :-)


Gary,  I do have another question may be you could help to answer.

Given that NIS was (may be still is) used by the majority of the unix
environments historically.   What is the percentage
of the envrionments that have been migrated to ldap  (openldap, MS AD,
SUN's Iplanet)?    Do we need to concern
for possible performance issues in a multiple platform ldap environment?

Again, thank you very much...

Best regards,

John,






                                                                           
             "Tay, Gary"                                                   
             <Gary_Tay at platts.                                             
             com>                                                       To 
                                       <john.li at mindspeed.com>             
             06/22/06 03:25 AM                                          cc 
                                       "LDAP Interoperability List"        
                                       <ldap-interop at fini.net>             
                                                                   Subject 
                                       Re: Permission denied.              
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




1) Have you run "authconfig" on the ldap client?

2) Have you setup /etc/openldap/ldap.conf also and run "ldapsearch -x
-LLL uid=testuser" and "ldapsearch -x -LLL -ZZ uid=testuser" to confirm
ldap lookup has no issue in no-TLS and TLS mode?

3) Have you enabled PAM in /etc/ssh/sshd_config? If not edit sshd_config
and restart sshd. Also if you compile sshd from source, make sure PAM
support is configured.

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem       sftp    /usr/libexec/sftp-server

Read:
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open
SSH%20with%20pam_ldap%20for%20RedHat%20Enterprise%20Linux3.htm

4) The user home directory exists and has been permissed to be
read/write by the ldap user

5) The user loginShell must be listed in /etc/shells

6) The user LDAP entry must have both posixAccount and shadowAccount
objectClasses.

7) Use "ssh -v user at localhost" to debug ssh client session

8) Start sshd with debug mode to debug.

9) You may want to change this line in /etc/ldap.conf

rootbinddn cn=Manager,dc=example,dc=com
To
rootbinddn "cn=Manager,dc=example,dc=com"

I am not sure if it will make any difference, if it does, let me know.

10) Have you disabled SELinux? I think it is available in RHFC3/RHEL4

Gary

===
[LDAP-interop] Re: Permission denied.

John Li john.li at mindspeed.com

I read another thread from January 2006 archives by Davi Martini.  His
'unable to login to a  RH ldap client'
problem is the same as my problem.  I did verify that I'm using LDAP for

authentication from authconfig tool.
So his solution won't work for me.

My /etc/ldap.conf looks like below,  (following Gary Tay's document)

host ldap1.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=proxyagent,ou=profile,dc=example,dc=com
bindpw secret
rootbinddn cn=Manager,dc=example,dc=com
port 389
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute memberUid
pam_password crypt
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group          ou=group,dc=example,dc=com?one
nss_base_netgroup       ou=netgroup,dc=example,dc=com?one
#ssl on
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacert.pem

On the RH client, I'm able to su - sysmgr,  the automount works for fine

for sysmgr.

If the problem is on the RH client side,  please provide me some options

to trouble shoot
this one.

Best regards,

John Li wrote:

More information about the LDAP-interop mailing list