Re: Password problem

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Sat, 2013-10-26 at 09:36 +0200, Olivier Hoarau wrote:
> lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0

This looks like a valid shadow hash for /etc/shadow but the used hash
could be a problem for a value of userPassword that slapd would be able
to use for authentication. That would explain why nslcd can't
authenticate to slapd.

Assuming the LDAP server contains
  {crypt}$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN
perhaps the cyrpt() implementation on the LDAP server doesn't support
the Blowfish (2a) hash or slapd doesn't recognise the hash format.

On my system I can generate MD5 hashes with:
  slappasswd -s test -c '$1$%.8s'
but not Blowfish hashes:
  slappasswd -s test -c '$2a$08'

> with these modification in nslcd.conf
> 
> I got also
> 
> getent shadow lena
> lena:$2a$08$0vX/LZRxYweUhdyyUVGIK.VjkNgM22XG9.xqAV50iTjUxfmjN:14855::99999::::0
> 
> but same error with su

Another possibility is that pam_tcb has changed in some way to no longer
use the NSS layer to request shadow information but reads /etc/shadow
directly.

> you can find the log file of the slapd server here 
> http://www.funix.org/fr/linux/fichiers/log-slapd

Sadly, this does not provide more useful information, it only logs:

conn=1008 op=0 BIND dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
do_bind: version=3 dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
bdb_dn2entry("uid=lena,ou=people,dc=kervao,dc=fr")
send_ldap_result: conn=1008 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=49

(error code 49 is invalid credentials)

> my slapd.conf

The configuration seems reasonable.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/