pam_ldap, libnss-ldap and different fields for authentication

To: debian-user@lists.debian.org
Subject: pam_ldap, libnss-ldap and different fields for authentication
From: Florian MAURY <maury.celsius@gmail.com>
Date: Thu, 19 Mar 2009 15:23:12 +0100
Message-id: <[🔎] 82d37a290903190723v75061253g6ee6302a8381cb2f@mail.gmail.com>

Hi,
I'm currently working on an authentication system for my company and facing a problem using pam_ldap, and libnss_ldap.
I want to configure pam to authenticate againt a field (let's call it AField) (e.g. a ssh session's authentication) and libnss to provide the content of another field (BField) if I run e.g. ls -l.
I mean :
# ssh AField-value@192.168.1.1
[...]
# ls -l /tmp/test
-rwx------ 1 BField-value root 1305 2009-03-18 14:11 test
#whoami
BField-value

The goal is to permit login via AField, which will be a quite long name, and BField will ease the reading in my linux-box.

Everything is working perfectly fine if I use the same field. (i.e. pam_login_attribute BField and nss_map_attribute uid BField) but if I try to set pam_login_attribute to AField and nss_map_attribute to "uid BField" the authentication process failed in an "Invalid credentials" error.
Libnss works correctly since when I list (ls) a file created by an ldap user after logging in via a local user, the resolution works fine. Ls answers me the file is owned by {BField-value} user.
Pam_ldap seems to understand it needs to look up to the AField since it bind anonymously, request the rdn of the user having AField equal to the login submitted, but when the binding is done with the rdn of the user, I've got the error.
I tcpdump-ed the ldap trafic and discovered pam_ldap is requesting the binding without providing the password. In the packets, where the password (in clear for tests) should be, I can read "INCORRECT". Which is not my password at all =) Then, it's perfectly logical that openldap returns me "Invalid credentials".

My question is : what can this INCORRECT mean ? A configuration error ? Is it just possible to do what I want to do ?

When my authentication fails, I can rean in openldap log files : slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
When I'm using only the AField (or the BField) for the two options, I don't get this error :o/

I'm using Openldap 2.3.30-5+etch2, libpam-ldap 180-1.7 and libnss-ldap 251-7.5etch1 on Debian.

Thank you in advance for your support.
Regards,

-- 
Florian MAURY

Reply to:

Prev by Date: Re: Help! Grub is broken
Next by Date: /dev/dsp, /dev/mixer devices missing
Previous by thread: problem since upgrade php/apc
Next by thread: /dev/dsp, /dev/mixer devices missing
Index(es):
- Date
- Thread