Re: user can't log in, troubleshooting hints?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Christopher Wood <christopher_wood [at] pobox.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: user can't log in, troubleshooting hints?
Date: Wed, 14 Sep 2011 17:48:14 -0400

On Wed, Sep 14, 2011 at 04:34:10PM -0400, Christopher Wood wrote:
> On Wed, Sep 14, 2011 at 10:00:18PM +0200, Arthur de Jong wrote:
> > On Wed, 2011-09-14 at 14:05 -0400, Christopher Wood wrote:
> > > How to best troubleshoot one particular user who cannot log in?
> > 
> > The information provided should already be quite helpful. The changed
> > usernames make things a bit more difficult though. Are you sure the uid
> > field is all that is different between both entries?
> 
> Come to think of it, no. There are several different member attributes 
> between the two entries. (Apart from the differences in uidNumber, uid, dn, 
> homeDirectory.)

Well, this is really embarrassing. The pertinent difference was that the 
loginShell on the problem entry was "bash", but "/bin/bash" on the working 
entries.

In the previous in-house system an agent on various hosts would set the user's 
shell in /etc/passwd to a valid value based on a system-specific path to the 
named shell. In the pure ldap-based authentication land, the loginShell value 
has to match something in /etc/shells.
  
> > What version of nss-pam-ldapd are you using?
> 
> 0.7.13 on Debian Squeeze.
> 
> > > I'm puzzled at why nslcd is failing to bind for one specific user when
> > > I can bind using ldapsearch for that user, and other users have no
> > > problem.
> > 
> > Apparently nslcd is confused by something.
> > 
> > > nslcd: [5558ec] DEBUG: 
> > > ldap_simple_bind_s("uid=user1,ou=people,o=co","***") 
> > > (uri="ldap://10.201.166.7/")
> > > nslcd: [5558ec] DEBUG: failed to bind to LDAP server 
> > > ldap://10.201.166.7/: Invalid credentials
> > 
> > Are you sure this is the DN that you can bind with
> > (uid=user1,ou=people,o=co) using ldapsearch?
> 
> Yes, the same one.
> 
> I suspect there's something in the member attributes that is causing the 
> difference in behaviour. I'm going to see if I can isolate that and proceed 
> from there.
> 
> In further testing I can duplicate another entry and log in with this userid, 
> so it only remains to narrow down which part of the problem entry is causing 
> my problem.
> 
> > -- 
> > -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
> 
> 
> 
> > -- 
> > To unsubscribe send an email to
> > nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> > http://lists.arthurdejong.org/nss-pam-ldapd-users/
> 
> -- 
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users/
> 
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

user can't log in, troubleshooting hints?, Christopher Wood
- Re: user can't log in, troubleshooting hints?, Arthur de Jong
  - Re: user can't log in, troubleshooting hints?, Christopher Wood
    - Re: user can't log in, troubleshooting hints?, Christopher Wood

Prev by Date: Newbie questions: knowledge of login procedure in general and configuration of nss-pam-ldapd for Acive Directory
Next by Date: Re: Server issue
Previous by thread: Re: user can't log in, troubleshooting hints?
Next by thread: Newbie questions: knowledge of login procedure in general and configuration of nss-pam-ldapd for Acive Directory