# Login with ldap is not working

## Darknight

I include my configuration and a couple of logs, maybe someone will succeed where I fail   :Confused: 

Thanks in advance.

getent passwd

```

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/adm:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/bin/false

news:x:9:13:news:/usr/lib/news:/bin/false

uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false

operator:x:11:0:operator:/root:/bin/bash

man:x:13:15:man:/usr/share/man:/bin/false

postmaster:x:14:12:postmaster:/var/spool/mail:/bin/false

smmsp:x:209:209:smmsp:/var/spool/mqueue:/bin/false

portage:x:250:250:portage:/var/tmp/portage:/bin/false

nobody:x:65534:65534:nobody:/:/bin/false

sshd:x:22:22:added by portage for openssh:/var/empty:/sbin/nologin

cron:x:16:16:added by portage for cronbase:/var/spool/cron:/sbin/nologin

ntp:x:123:123:added by portage for ntp:/dev/null:/sbin/nologin

ldap:x:439:439:added by portage for openldap:/usr/lib64/openldap:/sbin/nologin

rpc:x:111:111:added by portage for portmap:/dev/null:/sbin/nologin

dnscache:x:101:200:added by portage for djbdns:/dev/null:/sbin/nologin

dnslog:x:102:200:added by portage for djbdns:/dev/null:/sbin/nologin

tinydns:x:103:200:added by portage for djbdns:/dev/null:/sbin/nologin

apache:x:81:81:added by portage for apache:/var/www:/sbin/nologin

testuser:x:1000:100:Di Test Utente,,,,:/home/users/testuser:/usr/bin/rssh

```

The last line shows that the system picks up ldap users.

/etc/ldap.conf

```

base dc=xx

uri ldaps://localhost:636

pam_filter objectclass=posixAccount

pam_member_attribute memberuid

nss_base_passwd         ou=People,dc=xx

nss_base_shadow         ou=People,dc=xx

nss_base_group          ou=Group,dc=xx

nss_base_hosts          ou=Hosts,dc=xx

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping

```

/etc/pam.d/system-auth

```

auth       required     pam_env.so

auth       sufficient   pam_ldap.so try_first_pass

auth       sufficient   pam_unix.so use_first_pass likeauth nullok

auth       required     pam_deny.so

account    sufficient   pam_ldap.so

account    required     pam_unix.so use_first_pass

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

/etc/nsswitch.conf

```

passwd:      compat ldap

shadow:      compat ldap

group:       compat ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

auth.log with the right password and with the wrong password

```

Apr 29 10:48:56 ldap sshd[21134]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx  user=testuser

Apr 29 10:48:59 ldap sshd[21132]: error: PAM: Authentication failure for testuser from xx

Apr 29 10:49:09 ldap sshd[21135]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=xx" (Invalid credentials)

Apr 29 10:49:09 ldap sshd[21135]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx  user=testuser

Apr 29 10:49:10 ldap sshd[21132]: error: PAM: Authentication failure for testuser from xx

```

syslog with right and wrong password

```

Apr 29 10:48:51 ldap slapd[21087]: conn=8 fd=16 ACCEPT from IP=127.0.0.1:36487 (IP=0.0.0.0:636)

Apr 29 10:48:51 ldap slapd[21087]: conn=8 fd=16 TLS established tls_ssf=256 ssf=256

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=0 BIND dn="" method=128

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=0 RESULT tag=97 err=0 text=

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=1 SRCH base="ou=People,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"

Apr 29 10:48:51 ldap slapd[21087]: <= bdb_equality_candidates: (uid) not indexed

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=2 BIND dn="" method=128

Apr 29 10:48:51 ldap slapd[21087]: conn=8 op=2 RESULT tag=97 err=0 text=

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=3 BIND dn="uid=testuser,ou=People,dc=xx" method=128

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=3 BIND dn="uid=testuser,ou=People,dc=xx" mech=SIMPLE ssf=0

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=3 RESULT tag=97 err=0 text=

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=4 BIND anonymous mech=implicit ssf=0

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=4 BIND dn="" method=128

Apr 29 10:48:56 ldap slapd[21087]: conn=8 op=4 RESULT tag=97 err=0 text=

Apr 29 10:48:56 ldap slapd[21087]: conn=9 fd=17 ACCEPT from IP=127.0.0.1:36488 (IP=0.0.0.0:636)

Apr 29 10:48:56 ldap slapd[21087]: conn=9 fd=17 TLS established tls_ssf=256 ssf=256

Apr 29 10:48:56 ldap slapd[21087]: conn=9 op=0 BIND dn="" method=128

Apr 29 10:48:56 ldap slapd[21087]: conn=9 op=0 RESULT tag=97 err=0 text=

Apr 29 10:48:56 ldap slapd[21087]: conn=9 op=1 SRCH base="ou=People,dc=xx" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=testuser))"

Apr 29 10:48:56 ldap slapd[21087]: conn=9 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Apr 29 10:48:56 ldap slapd[21087]: <= bdb_equality_candidates: (uid) not indexed

Apr 29 10:48:56 ldap slapd[21087]: conn=9 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 29 10:48:59 ldap slapd[21087]: conn=8 fd=16 closed (connection lost)

Apr 29 10:48:59 ldap slapd[21087]: conn=9 fd=17 closed (connection lost)

Apr 29 10:48:59 ldap sshd[21132]: error: PAM: Authentication failure for testuser from xx

Apr 29 10:48:59 ldap slapd[21087]: conn=10 fd=16 ACCEPT from IP=127.0.0.1:36489 (IP=0.0.0.0:636)

Apr 29 10:48:59 ldap slapd[21087]: conn=10 fd=16 TLS established tls_ssf=256 ssf=256

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=0 BIND dn="" method=128

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=0 RESULT tag=97 err=0 text=

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=1 SRCH base="ou=People,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"

Apr 29 10:48:59 ldap slapd[21087]: <= bdb_equality_candidates: (uid) not indexed

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=2 BIND dn="" method=128

Apr 29 10:48:59 ldap slapd[21087]: conn=10 op=2 RESULT tag=97 err=0 text=

Apr 29 10:49:09 ldap slapd[21087]: conn=10 op=3 BIND dn="uid=testuser,ou=People,dc=xx" method=128

Apr 29 10:49:09 ldap slapd[21087]: conn=10 op=3 RESULT tag=97 err=49 text=

Apr 29 10:49:09 ldap sshd[21135]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=xx" (Invalid credentials)

Apr 29 10:49:09 ldap slapd[21087]: conn=10 op=4 BIND dn="" method=128

Apr 29 10:49:09 ldap slapd[21087]: conn=10 op=4 RESULT tag=97 err=0 text=

Apr 29 10:49:09 ldap slapd[21087]: conn=11 fd=17 ACCEPT from IP=127.0.0.1:36490 (IP=0.0.0.0:636)

Apr 29 10:49:09 ldap slapd[21087]: conn=11 fd=17 TLS established tls_ssf=256 ssf=256

Apr 29 10:49:09 ldap slapd[21087]: conn=11 op=0 BIND dn="" method=128

Apr 29 10:49:09 ldap slapd[21087]: conn=11 op=0 RESULT tag=97 err=0 text=

Apr 29 10:49:09 ldap slapd[21087]: conn=11 op=1 SRCH base="ou=People,dc=xx" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=testuser))"

Apr 29 10:49:09 ldap slapd[21087]: conn=11 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

Apr 29 10:49:09 ldap slapd[21087]: <= bdb_equality_candidates: (uid) not indexed

Apr 29 10:49:09 ldap slapd[21087]: conn=11 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 29 10:49:10 ldap slapd[21087]: conn=10 fd=16 closed (connection lost)

Apr 29 10:49:10 ldap slapd[21087]: conn=11 fd=17 closed (connection lost)

Apr 29 10:49:10 ldap sshd[21132]: error: PAM: Authentication failure for testuser from xx

Apr 29 10:49:10 ldap slapd[21087]: conn=12 fd=16 ACCEPT from IP=127.0.0.1:36491 (IP=0.0.0.0:636)

Apr 29 10:49:10 ldap slapd[21087]: conn=12 fd=16 TLS established tls_ssf=256 ssf=256

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=0 BIND dn="" method=128

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=0 RESULT tag=97 err=0 text=

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=1 SRCH base="ou=People,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=testuser))"

Apr 29 10:49:10 ldap slapd[21087]: <= bdb_equality_candidates: (uid) not indexed

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=2 BIND dn="" method=128

Apr 29 10:49:10 ldap slapd[21087]: conn=12 op=2 RESULT tag=97 err=0 text=

Apr 29 10:49:11 ldap slapd[21087]: conn=12 fd=16 closed (connection lost)

Apr 29 10:50:01 ldap cron[21138]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

```

----------

## Aurora

Did you ever find a solution to this Darknight?

I'm in the same exact boat and am ripping my last hairs out.  :Wink: 

I can bind to my LDAP server with no issues

Like you, typing an incorrect password is denoted with an "Invalid credentials" message

I simply get an error: PAM: Authentication failure for testuser from xx when my password is typed correctly but PAM rejects the authentication

Also like you, getent works fine. A simple packet capture clearly shows the LDAP server sending a success message when the bind is attempted by pam_ldap.

Any thoughts would be greatly appreciated...I'm at a complete loss and need this up and running in short order.  :Sad: 

----------

## Darknight

Well, it took me ages to make ldap work and it was some time ago. One of the worse things that happened was that I had not rebuilt the indexes (slapindex) after adding indexes on some fields.

This made every lookup that used those fields fail because no entries were found in the uninitialized (!) indexes, this drove me nuts. It may not be your problem here but it's a good thing to do: rebuild the indexes and see if things get better.

----------

## cpr

 *Aurora wrote:*   

> [*]I simply get an error: PAM: Authentication failure for testuser from xx when my password is typed correctly but PAM rejects the authentication

 

Do you have a loginShell attribute with a valid enty for that user?

----------

