RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem

On Fri, 2013-10-25 at 15:35 +0200, Olivier Hoarau wrote:
> Here is my ldap.conf which works on the others PC (which don't use
> nslcd but the old packages pam_ldap and nss_ldap)
> host
> base ou=People,dc=kervao,dc=fr
> binddn cn=Manager,dc=kervao,dc=fr
> bindpw mot-de-passe
> pam_filter objectclass=account
> pam_login_attribute uid
> pam_password crypt
> nss_base_passwd ou=People,dc=kervao,dc=fr?one
> nss_base_shadow ou=People,dc=kervao,dc=fr?one
> nss_base_group ou=Group,dc=kervao,dc=fr?one
> and the new /etc/nslcd.conf
> uid nslcd
> gid nslcd
> uri ldap://
> base dc=kervao,dc=fr
> binddn cn=Manager,dc=kervao,dc=fr
> bindpw mot-de-passe
> base  group  ou=Group,dc=kervao,dc=fr
> base  passwd ou=People,dc=kervao,dc=fr
> base  shadow ou=People,dc=kervao,dc=fr

These configurations look more or less equivalent. The only major
difference is regarding password change. nslcd currently only supports
the LDAP password modify EXOP method and not constructing crypt
passwords itself.

> nslcd: [495cff] <authc="lena"> uid=lena,ou=People,dc=kervao,dc=fr: lookup 
> failed: Invalid credentials

This indicates that the authentication attempt at the LDAP server

One thing that could be different with the other machines is that they
return password hashes via the shadow map. By default nslcd will not
expose password hashes through NSS.

Do both systems produce the same output for
  getent shadow lena

If you want to expose password hashes via NSS, pam_unix (in your case
probably pam_tcb) usually does the authentication and you don't need
pam_ldap. It is slightly more secure to delegate authentication to your
LDAP server via pam_ldap.

Exposing password hashes via nslcd can be done with:

  map shadow userPassword userPassword

If you want to get pam_ldap working, more information on your LDAP
server could be useful. Also, the LDAP server logs may provide more
information on why the authentication failed.


-- arthur - - --
To unsubscribe send an email to or see