Fw: LDAP password is "INCORRECT"
[Date Prev][Date Next] [Thread Prev][Thread Next]Fw: LDAP password is "INCORRECT"
- From: Doug Kehn <rdkehn [at] yahoo.com>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Reply-to: Doug Kehn <rdkehn [at] yahoo.com>
- Subject: Fw: LDAP password is "INCORRECT"
- Date: Tue, 19 May 2015 00:16:59 +0000 (UTC)
On Monday, May 18, 2015 7:12 PM, "rdkehn@yahoo.com" <rdkehn@yahoo.com> wrote:
Hi Arthur,
On Sat, May 16, 2015 at 12:55:33PM +0200, Arthur de Jong wrote:
> On Fri, 2015-05-15 at 17:11 -0500, rdkehn [at] yahoo.com wrote:
> > I'm attempting to add LDAP authentication (against Windows Active
> > Directory) to an embedded Linux system. I'm learning as I go so I'm
> > sure I have a lot wrong. In Wireshark I noticed that the bind
> > password was "INCORRECT" instead of the entered password. I haven't
> > figured out what's wrong so I thought I'd ask is generating the
> > password?
>
> This was interesting to track down :). Apparently sshd sets a password
> of "\b\n\r\177INCORRECT" in some cases (judging by the source at least
> when PermitRootLogin does not allow the login but also when
> sshpam_authctxt is not valid).
>
> I suggest running sshd in debug mode to see what goes wrong. Judging by
> the debug log of nslcd you sent, that part seems to be working OK.
>
Thanks for the response.
sshd calls getpwnam() to determine if the user is allowed. When
getpwnam() was call I noted that nslcd output:
nslcd: [8b4567] <passwd="dougtest"> CN=dougtest,OU=ServicesAccounts,OU=UserIDs,DC=domain,DC=com: uidNumber: missing
This resulted in getpwnam() returning NULL which, eventually, led to
The Windows active directory domain controller was not returning
uidNumber. Updated the domain controller to return uidNumber (I
mapped uidNumber to gidNumber in nslcd.conf) and now authentication
works.
Thanks again for the help!
Regards,
...doug
On Sat, May 16, 2015 at 12:55:33PM +0200, Arthur de Jong wrote:
> On Fri, 2015-05-15 at 17:11 -0500, rdkehn [at] yahoo.com wrote:
> > I'm attempting to add LDAP authentication (against Windows Active
> > Directory) to an embedded Linux system. I'm learning as I go so I'm
> > sure I have a lot wrong. In Wireshark I noticed that the bind
> > password was "INCORRECT" instead of the entered password. I haven't
> > figured out what's wrong so I thought I'd ask is generating the
> > password?
>
> This was interesting to track down :). Apparently sshd sets a password
> of "\b\n\r\177INCORRECT" in some cases (judging by the source at least
> when PermitRootLogin does not allow the login but also when
> sshpam_authctxt is not valid).
>
> I suggest running sshd in debug mode to see what goes wrong. Judging by
> the debug log of nslcd you sent, that part seems to be working OK.
>
Thanks for the response.
sshd calls getpwnam() to determine if the user is allowed. When
getpwnam() was call I noted that nslcd output:
nslcd: [8b4567] <passwd="dougtest"> CN=dougtest,OU=ServicesAccounts,OU=UserIDs,DC=domain,DC=com: uidNumber: missing
This resulted in getpwnam() returning NULL which, eventually, led to
"INCORRECT".
The Windows active directory domain controller was not returning
uidNumber. Updated the domain controller to return uidNumber (I
mapped uidNumber to gidNumber in nslcd.conf) and now authentication
works.
Thanks again for the help!
Regards,
...doug
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- LDAP password is "INCORRECT",
rdkehn
- Re: LDAP password is "INCORRECT", Arthur de Jong
- <Possible follow-ups>
- Fw: LDAP password is "INCORRECT", Doug Kehn
- Prev by Date: Re: LDAP password is "INCORRECT"
- Next by Date: LDAP "I have no name!"
- Previous by thread: Re: LDAP password is "INCORRECT"
- Next by thread: LDAP "I have no name!"