[Fedora-directory-users] PAM problem - ldap_search_s No such object

Christopher Blizzard blizzard at redhat.com
Sat Jun 25 06:48:50 UTC 2005 

This is an excellent method for diagnosis.  Can we add it to a howto on 
the wiki?

--Chris

Jeff Clowser wrote:
> Look in the access log on the FDS server for connections from that 
> workstation (grep on the IP of that workstations, or one of the user 
> id's that are trying to auth, etc).  When you find it, grep out conn=xxx 
> (where xxx is the connection # from that IP) so you get the complete 
> connection from start to finish.
> 
> - Look at the BIND lines to see what that workstation is binding as.
> - Look at the SRCH lines, to see what basedn and filter is being used.  
> My guess is a typo in the search base configured on your workstation.
> - Look at the result line (right after the SRCH line) to see what the 
> results are (though you'll probably just see err=32, which is no such 
> object).  If there are multiple SRCH lines, check each one.
> - Check the ACI's set on your suffix - in console, click on the 
> Directory tab then right click on the top entry in your tree, and select 
> "set permissions" (something like that - doing this from memory).  Make 
> sure the appropriate access is set for what the Suse box is trying to do 
> (or adjust the Suse box to work with what ACI's you find).  You may have 
> to look throughout your tree for aci's to be sure you find everything. 
> (ldapsearch -D cn=directory manager -w - ... -b "your basedn" "(aci=*)" 
> "aci"  to find 'em all.)
> 
> I think the default anonymous access is pretty generous (anything but 
> password attributes?), so you probably just have the search base wrong.
> 
> - Jeff
> 
> Nalin Dahyabhai wrote:
> 
>> On Fri, Jun 24, 2005 at 04:28:42PM +0100, Billy Allan wrote:
>>  
>>
>>> However.... ;-)   I'm trying to get a Linux client (SuSe 9.2) to
>>> authenticate against the directory, but keep seeing :
>>>
>>> Jun 24 16:35:33 xxxxxxxx sshd[780]: pam_ldap: ldap_search_s No such 
>>> object Jun 24 16:35:33 xxxxxxxx sshd[775]: error: PAM: User not known 
>>> to the
>>>  underlying authentication module for illegal user testeroo from 
>>> xxxxxxxx   
>>
>>
>> A "no such object" error suggests that the base DN for the search is
>> either not there or inaccessible to the client.
>>
>>  
>>
>>> I can search the directory from the client (I can get Thunderbird to 
>>> use it as the addressbook for instance).
>>>   
>>
>>
>> I guess that rules out the "object isn't there" theory.  Are your
>> Thunderbird users authenticating to the directory?
>>
>> The pam_ldap module needs to convert the user name to the distinguished
>> name of an entry in the directory server before it can attempt to bind
>> to that entry with the user's password, so you need to provide the
>> ability to locate an entry using its "uid" attribute in order for things
>> to work.
>>
>> HTH,
>>
>> Nalin
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>  
>>
> 
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list