PAM_LDAP verbose logging?

John Ferrell jferrell at rhsmith.umd.edu
Mon Mar 6 18:20:59 UTC 2006


I am trying to configure my Red Hat AS 4.2 box to authenticate users 
using LDAP.  More specifically, I only want to verify the user's 
password using LDAP, the accounts are local.  As far as I can tell then 
system is performing the LDAP bind during the login process; using 
tcpflow I can see the LDAP information passed to the server. 
Unfortunately, I cannot tell what is really going on.  Even though I 
have 'debug' option enabled in the pam config file, the logs do not 
show any pam_ldap activity. 

Below is a snippet from the sshd pam config with LDAP: 
#LDAP 
auth       sufficient   pam_ldap.so use_first_pass debug 
auth       required     pam_stack.so service=system-auth 
auth       required     pam_nologin.so 
account    required    pam_stack.so service=system-auth 
... 

Originally, I was getting a LDAP bind error in /var/log/messages. 
After fixing ldap.conf and verifying the settings using ldapsearch, I no 
longer see the error.  However, I don't see an specific pam_ldap errors 
in any of my logs now. 

I have done some searching and found a few news group posts with 
some sample logs.  It looks like there is a way to enable more verbose 
logging: 

Dec  8 10:04:43 linux29 login[2063]: pam_ldap: error trying to bind as 
user "cn=Linux29,ou=SER,ou=KLK,o=EK" (Invalid credentials) 

There is a debug option in ldap.conf, but that just created a log file 
with output similar to running ldapsearch with the debugging option. 

Hopefully someone can point me to the debugging option so that my logs 
are a bit more helpful in troubleshooting this issue. 

thanks, 
John 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060306/7c544d74/attachment.htm>


More information about the Pam-list mailing list