RSS feed

Re: LDAP referral, binding -> invalid credentials

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: LDAP referral, binding -> invalid credentials

The last emails were not sent to the list, so if interested please
refer to the quotation below.

I tested again with PADL's pam_ldap, but it didn't work either.
Most important lines in /etc/ldap.conf were the following:
base dc=subdomain,dc=example,dc=com
uri ldap://ldapserver1
#debug 10
referrals yes # did not change anything

>From the debug output and with tcpdump, I could see that pam_ldap
follows the referral to ldapserver2 anonymously, gets the respective
user information of ldapuser, but tries to bind with that user to
ldapserver1 then. I expected that it would bind to ldapserver2, where
it found the user for accessing the password.

This bug of pam_ldap has been reported already:

So unfortunately, the behavior of pam_ldap is similar to that of
pam_ldapd, I think.

Thank you again for your time!


2010/7/23 Arthur de Jong <>:
> Sorry to not respond earlier. I have been doing some work on this but
> without success so far.
> On Tue, 2010-07-13 at 00:09 +0200, Valentin Mann wrote:
>> > Perhaps it is enough to do a user lookup first (which should end up
>> > on the correct server) and rebind as the user after that.
>> Yes, and then just use this server for the subsequent non-anonymous
>> bind. That might do the trick ...
> It does not do the trick I'm afraid, at least not in my test set-up
> (which is a bit limited). It also isn't easy to get the URL of a
> returned user (as far as I know), perhaps someone else has more insights
> in this?
> I've had a very brief look into how pam_ldap works but have not
> identified anything special for this so far. Does PADL's pam_ldap work
> with your set-up?
> Anyway, attached is a very rough patch of how far I got. I don't think I
> have much time for this the coming couple of weeks though so if someone
> is interested in this, please go a ahead.

Attachment: nss-pam-ldapd-pam-rebind-try.patch
Description: Text Data

To unsubscribe send an email to or see