Have you tested that the authentication for PAM is working correctly? Try logging in using whatever auth you are using for it and check it can read the entiries it needs. libnss-ldap and pam_ldap have different config files. Sounds like nss is working correctly (i.e. its showing both users), but the auth is failing for whatever reason. My files are: common-password: password sufficient pam_ldap.so ignore_unknown_user password required pam_unix.so try_first_pass nullok obscure min=4 max=8 md5 common-auth: auth sufficient pam_ldap.so auth required pam_unix.so use_first_pass nullok_secure common-account: account sufficient pam_ldap.so account required pam_unix.so use_first_pass common-session: session required pam_unix.so pam_ldap.conf: host 127.0.0.1 base ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=. ldap_version 3 binddn cn=pam,dc=jamie-thompson,dc=co,dc=uk,dc=. bindpw <snip> rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=. timelimit 30 bind_timelimit 30 idle_timelimit 3600 pam_password crypt libnss-ldap.conf: host 127.0.0.1 base dc=jamie-thompson,dc=co,dc=uk,dc=. ldap_version 3 binddn cn=nss,dc=jamie-thompson,dc=co,dc=uk,dc=. bindpw <snip> rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=. timelimit 60 bind_timelimit 60 bind_policy hard idle_timelimit 240 nss_base_passwd ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_shadow ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_group ou=Groups,dc=jamie-thompson,dc=co,dc=uk,dc=. #nss_base_hosts ou=Hosts,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_services ou=Services,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_networks ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_protocols ou=Protocols,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_rpc ou=Rpc,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_ethers ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_netmasks ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_bootparams ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_aliases ou=Aliases,dc=jamie-thompson,dc=co,dc=uk,dc=. nss_base_netgroup ou=Netgroup,dc=jamie-thompson,dc=co,dc=uk,dc=. Obviously, I've trimmed these slightly, but hopefully that should help. I use a similar config on my workstations so that they authenticate/NSS via LDAP to the server. I suspect that although what I have works, it's not *quite* the correct way. For one thing, I never did get round to setting up TLS. Luckily, I trust my LAN for the time being :)
Attachment:
signature.asc
Description: OpenPGP digital signature