RSS feed

Re: User Authentication with nslcd 0.8.13

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: User Authentication with nslcd 0.8.13


Thanks for all your support! I was able to get the debug messages from nslcd, pam_ldap and pam_unix and found that PAM was not being used for SSH (which was how I was trying to log on). I made some changes in /etc/ssh_config and /etc/sshd_config. Here are the lines I added:

     SendEnv LANG LC_*
     HashKnownHosts yes
     ServerAliveInterval 120

HostbasedAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
TCPKeepAlive yes
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

After this, I was able to authenticate users trying to log in via SSH.

On Thu, Aug 8, 2013 at 5:00 PM, Arthur de Jong <arthur [at]> wrote:
On Thu, 2013-08-08 at 14:32 -0500, Priya Seshaadri wrote:
> Here's the objectdump of the other

Yes, this looks more like the nss-pam-ldapd version.

> Do you have any suggestions on how to debug the PAM module to see
> where it is failing?

It is probably best to remove or set aside the other PAM module. What
would be useful is configuring the PAM stack for su to use LDAP.

To figure out what is exactly going on is running (as root):

  strace -f -o logfile su - nobody -c 'su - someldapuser'

and log in (BEWARE: your typed-in password will probably end up in the
logfile). The login itself will probably fail because of running under
strace though but the logfile would then show exactly what was going on.

For example, it will show which files are opened (which PAM module,
which PAM configuration file, etc.). At a certain point it should
connect to /var/run/nslcd/socket.

Running nslcd in debug mode should show PAM requests coming in.

Most PAM modules also accept a debug argument (pam_unix and pam_ldap
both support this) which makes them present debugging output either to
stdout or to syslog.

-- arthur - arthur [at] - --

To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] or see

To unsubscribe send an email to or see