RSS feed

Re: authentication puzzle

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: authentication puzzle

On Thu, 2014-03-06 at 12:04 -0700, Eneida Lima wrote:
> I then tried the second server. It does everything, but authenticate
> through ssh. I ran nslcd in debug mode (nslcd -d) and the output is
> identical when connecting to both servers, but one authenticates and
> the other one does not.

You have two LDAP servers: opends1 and opends2. It is not entirely clear
to me how your clients are organised, are these server 1 and server 2?

Is the problem related the authentication working on one LDAP server but
not on the other or working for one client and not the other?

> [06/Mar/2014:11:21:30 -0700] SEARCH REQ conn=123412728 op=1 msgID=2 
> base="ou=People,dc=example,dc=com" scope=wholeSubtree filter="(uid=jdoe)" 
> attrs="host,authorizedService,shadowExpire,shadowFlag,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning,uidNumber"

This does not look like a search that nslcd would perform. It could be
that PADL's pam_ldap does such a search (judging from the
authorizedService attribute).

> and this is the one that does not authenticate :
> [06/Mar/2014:11:28:38 -0700] SEARCH REQ conn=3932369 op=1 msgID=2 
> base="ou=People,dc=example,dc=com" scope=wholeSubtree 
> filter="(&(objectClass=shadowAccount)(uid=jdoe))" 
> attrs="shadowFlag,shadowMin,shadowMax,userPassword,shadowWarning,shadowInactive,uid,shadowExpire,shadowLastChange"

This looks like a query for shadow information for the specified user.
On login, pam_unix lookups result in such a search operation.

There are basically two ways to do LDAP authentication:

- use a LDAP PAM module (nss-pam-ldapd provides such a module)
- exposes password hashes through the shadow map

The first approach is recommended because it does not expose password
hashes to LDAP clients.

Some more information is available here:

On systems where authentication fails, providing output from nslcd -d
(output from an authentication failure), information from nsswitch.conf
and your PAM configuration are helpful.

Kind regards,

-- arthur - - --
To unsubscribe send an email to or see