Re: PAM LDAP queries attempt to bind with empty binddn

To: Alex Samad <alex@samad.com.au>
Cc: debian-user@lists.debian.org
Subject: Re: PAM LDAP queries attempt to bind with empty binddn
From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
Date: Wed, 10 Feb 2010 16:23:22 -0500
Message-id: <[🔎] 1265837002.3508.20.camel@localhost>
In-reply-to: <[🔎] 20100210205040.GC16480@samad.com.au>
References: <[🔎] 1265818025.3738.19.camel@localhost> <[🔎] 20100210194237.GM10279@samad.com.au> <[🔎] 1265833645.3508.4.camel@localhost> <[🔎] 20100210205040.GC16480@samad.com.au>

On Thu, 2010-02-11 at 07:50 +1100, Alex Samad wrote:
> <snip>

> > On Thu, 2010-02-11 at 06:42 +1100, Alex Samad wrote:
> > > On Wed, Feb 10, 2010 at 11:07:05AM -0500, John A. Sullivan III wrote:
> > > > Hello, all.  We have just started to explore Debian Lenny as a platform
> > > > and have been delightfully impressed however we're hitting a problem
> > > > using LDAP authentication that we have not experienced in RedHat or
> > > > Ubuntu.  We do not allow anonymous LDAP queries but rather
> > > > configure /etc/pam_ldap.conf with a binddn and bindpw.
> > > > 
> > > > Our LDAP queries are failing and, when we look at the access logs on our
> > > > CentOS Directory Server 8.1, we see the binddn is empty:
> > > > 
> > > Hi
> > > 
> > > on my debian system I have a couple of packages installed to handle ldap
> > > userid db.
> > > 
> > > pam handles one side of it but you need the nss stuff as well.  There
> > > are 2 sets of packages, the one I use  (I like it better - works how I
> > > like it to work and seems to be getting active maintenance).
> > > 
> > > nslcd and with this you will need libnss-ldapd & libpam-ldapd they both
> > > need config files in /etc
> > libnss-ldap and libpam-ldap are installed.  I do not see a packaged
> > named nslcd unless it's a typo for nscd which is installed as well.
> 
> no nslcd is not a typo, like I said there are 2 streams/groups of
> packages for pam integration you have the !older! ones. have a look at
> nslcd and its partner packages I have found them to more stable.
> 
> 
> > > 
> > > 
> > > [snip]
> > > 
> > > > 
> > > > pam_ldap.conf looks like this:
> > > > 
> > > 
> > > [snip]
> > > 
> > > you need to look at the nss config file as well
> > Do you mean nsswitch.conf? If so, we did address that - files ldap for
> > passwd, group, and shadow.
> 
> nope this file /etc/nss-ldapd.conf used for the nss side of things which
> is what getent uses and tools like nsswitch, glibc & whoami
<snip>
Ah! That was it and that's what's different.  CentOS and Ubuntu do not
separate them.  I was wondering why there was a pam_ldap.conf instead of
an ldap.conf.  I assumed it was to eliminate conflict with openldap's
ldap.conf.  I didn't realize it was to distinguish it from
nss-ldap.conf.

Regarding nslcd, in which repository is it? I did an apt-cache search
nslcd and it returned nothing.

Thanks very, very much - John

Reply to:

Follow-Ups:
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: Alex Samad <alex@samad.com.au>

References:
- PAM LDAP queries attempt to bind with empty binddn
  - From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: Alex Samad <alex@samad.com.au>
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
- Re: PAM LDAP queries attempt to bind with empty binddn
  - From: Alex Samad <alex@samad.com.au>

Prev by Date: Re: local install with apt-get still producing caches in /var/lib/dpkg/{info,alternatives,info, ...}
Next by Date: Re: local install with apt-get still producing caches in /var/lib/dpkg/{info,alternatives,info, ...}
Previous by thread: Re: PAM LDAP queries attempt to bind with empty binddn
Next by thread: Re: PAM LDAP queries attempt to bind with empty binddn
Index(es):
- Date
- Thread