# [SOLVED] LDAP and PAM (again)

## cpr

Hi Forum,

I am too wrestling my admin-fu for a LDAP-based login.

I have followed http://wiki.das-online.org/howtos/ldap/openldap-gentoo and http://www.gentoo.org/doc/en/ldap-howto.xml plus tried stuff from other tutorials.

Instead of pasting many files and logs I would try to ask some specific questions where I assume I am doing a wrong turn:

- I can successfully use e.g. ldapwhoami on the local LDAP server. Jxplorer, MyPHPLDAPAdmin all work, too. So I have a PAM problem, not a LDAP problem, right?

- a "minimal" PAM-LDAP setup does not need SSL/TLS/SASL and other security stuff, right?

- getent passwd shows LDAP-content. Even better: I can su - myldapuser as root (but no password is requested, as expected)

- when a local user is created and changed to this login as root via su - localuser, I can then su - ldapuser and I am asked for the password. Besides an error message because of a nonexisting home-directory that password is accepted.

So that means:

I have to traverse the /etc/pam.d/* files from /etc/pam.d/sshd via its include directives to /etc/pam.d/system-remote-login to /etc/pam.d/system-login to /etc/pam.d/system-auth ?

Do I have to "debug" only the password-related directives for my ssh login? Because the logs from failed ssh logins seem to indicate that the ldapuser is found:

 *Quote:*   

> #############This is logged when I type ssh -vvv installer@ora from a remote cygwin xterm, and is similar when I try to ssh as root from the OpenLDAP server to itself
> 
> Jan 29 17:56:05 ora sshd[5250]: SSH: Server;Ltype: Version;Remote: 192.168.76.233-58240;Protocol: 2.0;Client: OpenSSH_5.9
> 
> Jan 29 17:56:05 ora slapd[2033]: conn=1069 fd=25 ACCEPT from IP=127.0.0.1:44481 (IP=0.0.0.0:389)
> ...

 

(It is all temporary stuff, so unaltered output.)

I have re-emerged sys-libs/pam with USE debug, but that does not put more lines in /var/log/message , only dumps a lot when I su on the shell. How do I debug that remote ssh login? (ssh -vvv on the remote side does opbviously not help much.)Last edited by cpr on Sun Jan 29, 2012 5:06 pm; edited 1 time in total

----------

## cpr

Did you read that? Sorry: Neither inetOrgPerson, organizationalPerson, person, top nor posixAccount do require the attribute loginShell. As soon as I added an entry for that attribute IT WORKED!

Gonna post to all other threads with similar problems now.

I did NOT use those MigrationScripts, but created a user with an LDAP client from scratch. That's were I took the wrong turn, I presume.

----------

