# LDAP and ssh

## ph0

Hello,

I've set up LDAP on 2 servers and it works for searches and so on, but it doesn't for ssh.

```
May 10 01:45:40 einstein sshd[1451]: Invalid user mwissel from ::ffff:84.170.122.142

May 10 01:45:52 einstein sshd(pam_unix)[21843]: check pass; user unknown

May 10 01:45:52 einstein sshd(pam_unix)[21843]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p54aa7a8e.dip.t-dialin.net

May 10 01:45:52 einstein sshd[21843]: pam_ldap: error trying to bind as user "uid=mwissel,ou=People,dc=irclog,dc=de" (Invalid credentials)

May 10 01:45:54 einstein sshd[1451]: error: PAM: Authentication failure for illegal user mwissel from p54aa7a8e.dip.t-dialin.net

May 10 01:45:54 einstein sshd[1451]: Failed keyboard-interactive/pam for invalid user mwissel from ::ffff:84.170.122.142 port 60331 ssh2
```

my configs look exactly like written in the gentoo-ldap-guide, and I've searched the forum, where there were a few similar threads, but none of them had a solution for my problem.

the server has:

```
access to *

  by dn="uid=root,ou=People,dc=irclog,dc=de" write

  by * read
```

the client:

```
einstein root # getent passwd | grep mwissel

mwissel:x:1002:100:mwissel:/home/users/mwissel:/bin/bash
```

so that should actually work, right?

does anyone have an idea where this could come from? I'd appreciate any suggestions.

Cheers,

ph0

----------

## cdn

Me to waiting for the same help


www.keralaescorts.info

----------

## fixer

I'm a bit reluctant because there are so many posts outlining similar trouble, but I guess I must join in with a "me too."  I'm not using the gentoo guide, but instead the guide at http://www.idealx.org/prj/samba/smbldap-howto.en.html as I want to integrate Samba into the works.  I've been most careful, but still seem unable to get things right.  

A little bit from a log:

```

May 10 14:49:48 univac slapd[12161]: conn=159 fd=12 ACCEPT from IP=127.0.0.1:1369 (IP=0.0.0.0:389)

May 10 14:49:48 univac slapd[12164]: conn=159 op=0 BIND dn="cn=nssldap,ou=DSA,dc=stuckoutside,dc=net" method=128

May 10 14:49:48 univac slapd[12164]: conn=159 op=0 RESULT tag=97 err=49 text=

May 10 14:49:48 univac sshd[13117]: pam_ldap: error trying to bind (Invalid credentials)

```

and /etc/pam.d/system-auth:

```

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_ldap.so use_first_pass debug

auth        sufficient    /lib/security/pam_unix.so likeauth nullok shadow

auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

account     sufficient    /lib/security/pam_ldap.so debug

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    required    /lib/security/pam_ldap.so use_authtok debug

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

session     optional      /lib/security/pam_ldap.so debug

```

I've been a bit sparse with information, but thought that better than too much.  Thanks for any help.

----------

## matthead

Alright, I've got the same problem, too.  But I've also got two other computers, one also running Gentoo and another running White Box Linux, both of which work A-OK.  Not sure that it matters, but my problem Gentoo is on AMD64, while my working Gentoo is on x86.  Now, ph0, my error message is a little different from yours.  I notice that you have an "invalid credentials" error in your auth.log:

 *ph0 wrote:*   

> 
> 
> ```
> May 10 01:45:40 einstein sshd[1451]: Invalid user mwissel from ::ffff:84.170.122.142
> 
> ...

 

Of course, invalid credentials means that password is simply incorrect.  Unless you can authenticate on that username & password with regular old ldap tools,  i.e.

```
ldapsearch -x -D uid=mwissel,ou=People,dc=irclog,dc=de -b dc=irclog,dc=de "(uid=mwissel)" 1.1
```

If you cannot, then you're simply using the wrong password.

Now, when I saw that "user unknown,"  I had thought that the problem was openssh failing to use LDAP correctly.  I thought that was important.  But here's the auth.log from my working computer:

```
Jul  7 15:20:39 elijah sshd(pam_unix)[10058]: check pass; user unknown

Jul  7 15:20:39 elijah sshd(pam_unix)[10058]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=WWW.XXX.YYY.ZZZ

Jul  7 15:20:39 elijah sshd[10053]: Accepted keyboard-interactive/pam for mas from WWW.XXX.YYY.ZZZ port 1088 ssh2

Jul  7 15:20:39 elijah sshd(pam_unix)[10059]: session opened for user mas by (uid=0)
```

And on the problem computer:

```
Jul  7 15:22:08 draco sshd(pam_unix)[3799]: check pass; user unknown

Jul  7 15:22:08 draco sshd(pam_unix)[3799]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=WWW.XXX.YYY.ZZZ

Jul  7 15:22:10 draco sshd[3794]: error: PAM: Authentication failure for mas from WWW.XXX.YYY.ZZZ

```

So I think the "user unknown" and "failure" message comes from PAM trying pam_unix.so first, then pam_ldap.so.

UPDATE: Since I'm not getting an "invalid credentials" message it looks like PAM isn't even trying the LDAP server.  The problem computer had been using pam_ldap-156.  I upgraded to pam_ldap-178-r1 and it works fine now.  It turns out this was pretty much an AMD64 problem; none of the pam_ldap packages except the broken version 156 are marked suitable for AMD64.

----------

## bhalter

Have you folks made sure you have an /etc/ldap.secret file with the ldap password in it for the binddn?  I had forgotten to set this up and was unable to login too

----------

## matthead

I didn't think /etc/ldap.secret had anything to do with regular user logins, but it appears you're right.  If I have the wrong password or nothing in /etc/ldap.secret, I cannot login through pam_ldap.  That's... a little weird I think.  I don't know why you'd need to query the server as a root user when a normal user is trying to login.

But that isn't the problem here.  With the wrong password in /etc/ldap.secret I see in auth.log:

```
Jul  8 16:05:45 elijah sshd(pam_unix)[18030]: check pass; user unknown

Jul  8 16:05:45 elijah sshd(pam_unix)[18030]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=WWW.XXX.YYY.ZZZ

Jul  8 16:05:45 elijah sshd[18030]: pam_ldap: error trying to bind (Server is unwilling to perform)

Jul  8 16:05:48 elijah sshd[18023]: error: PAM: Authentication failure for mas from WWW.XXX.YYY.ZZZ

```

or, if I have no ldap.secret file:

```
Jul  8 16:08:15 elijah sshd[18050]: pam_ldap: could not open secret file /etc/ldap.secret (No such file or directory)
```

----------

## bhalter

It would appear that pam_ldap actually preloads the user information when you supply a login name.  If you watch /var/log/debug you'll see it fetch when you supply the username to ssh.  That's why it needs the root login.

----------

