RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem

Le 25/10/2013 17:23, Arthur de Jong a écrit :
One thing that could be different with the other machines is that they
return password hashes via the shadow map. By default nslcd will not
expose password hashes through NSS.

Do both systems produce the same output for
   getent shadow lena

On my Mageia 3 PC, I get

getent shadow lena

on others PC


If you want to expose password hashes via NSS, pam_unix (in your case
probably pam_tcb) usually does the authentication and you don't need
pam_ldap. It is slightly more secure to delegate authentication to your
LDAP server via pam_ldap.

Exposing password hashes via nslcd can be done with:

   map shadow userPassword userPassword

with these modification in nslcd.conf

I got also

getent shadow lena

but same error with su

nslcd: [b71efb] <authc="lena"> DEBUG: nslcd_pam_authc("lena","su","***")
nslcd: [b71efb] <authc="lena"> DEBUG: myldap_search(base="ou=People,dc=kervao,dc=fr", filter="(&(objectClass=posixAccount)(uid=lena))") nslcd: [b71efb] <authc="lena"> DEBUG: ldap_result(): uid=lena,ou=People,dc=kervao,dc=fr nslcd: [b71efb] <authc="lena"> DEBUG: myldap_search(base="uid=lena,ou=People,dc=kervao,dc=fr", filter="(objectClass=*)")
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_initialize(ldap://
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_rebind_proc()
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [b71efb] <authc="lena"> DEBUG: ldap_simple_bind_s("uid=lena,ou=People,dc=kervao,dc=fr","***") (uri="ldap://";) nslcd: [b71efb] <authc="lena"> DEBUG: failed to bind to LDAP server ldap:// Invalid credentials
nslcd: [b71efb] <authc="lena"> DEBUG: ldap_unbind()
nslcd: [b71efb] <authc="lena"> uid=lena,ou=People,dc=kervao,dc=fr: lookup failed: Invalid credentials

you can find the log file of the slapd server here

If you want to get pam_ldap working, more information on your LDAP
server could be useful. Also, the LDAP server logs may provide more
information on why the authentication failed.

my slapd.conf

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile         /usr/local/var/run/

argsfile        /usr/local/var/run/slapd.args

database        bdb
suffix          "dc=kervao,dc=fr"
rootdn          "cn=Manager,dc=kervao,dc=fr"
rootpw          mot-de-passe
directory       /usr/local/var/openldap-data

index   objectClass     eq

# Basic ACL
access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,dc=kervao,dc=fr" write
        by * none
access to *
       by dn="cn=Manager,dc=kervao,dc=fr" write
       by * read

On this page
I indicate which method I used to fill the server.

Thank you for your answer.

To unsubscribe send an email to or see