On Thu, 10 May 2007, Joshua M. Miller wrote:
I have a problem authenticating to a Redhat 3.8 host via PAM, (pam_ldap)
and could use some pointers on continued troubleshooting.
I've recently upgraded OpenLDAP from 2.0.27 -> 2.3.34. I have ~100
hosts authenticating to this directory without any issues, the majority
of these hosts are CentOS 3/4 hosts.
The problem is with 2 RHEL 3.8 hosts -- they have the exact same
configuration as all of the other linux hosts (pushed via cfengine) and
yet they do not bind properly to obtain the userPassword attribute.
The basic flow that I see from the LDAP server for a successful bind:
1. Bind anonymously to obtain uid/homedirectory, etc
2. Bind anonymously to attempt to obtain userPassword -> fail
3. Bind as uid authenticating to obtain userPassword -> success
The 2 hosts that are failing do not perform step 3 and the login fails.
I thought the problem was related to nss_ldap but I have now come to
the point where the issue is inconsisten. The problem went away for a
day or two when I installed the CentOS nss_ldap RPM on the RHEL host but
when I restored the ACL this morning, the host stopped working.
...
Any ideas for continued troubleshooting?
Did you also update OpenLDAP client libraries on failing hosts? Several problems
may arise if OpenLDAP client libraries version is less than that of the server.