[Pam_ldap] Password Problems


I don’t know where post my problem, so i put it here.

I’m trying to authenticates an opensuse server against LDAP. I’ve already configure authentication against my OpenLDAP server on fedora, Suse Enterprise and Red hat and all work fine. But, on opensuse i meet a problem.

I install pam_ldap, nss_ldap and openldap clients. Then i trie to configure it with yast (like on Suse) but when i tried “getent passwd” my users are not listed. So i change /etc/nsswitch.conf and put “passwd files ldap” and “shadow files ldap”. Now when i tried “getent passwd/shadow” it’s list my users.

So, i tried to connect to my server with ssh, but it don’t work, i look at /var/log/messages and i find the error “pam_ldap: error trying to bind as user… (Invalid Credentials)”

I know that this error is due that the user password isn’t good. Y have try to contact my openldap server with :

ldapsearch -x -D “my user dn” -W “my password”

and it work.

So i think that their is some missing packages on my opensuse to crypt/decrypt password.

I used the crypt(3) method on my OpenLDAP server. I’ve put “pam_password crypt” in /etc/ldap.conf

Do you know what package is used on opensuse for crypt(3) method ?

Thanks in advance :slight_smile:

(sorry for my english)

I doubt that the system decrypts the password to check with the LDAP server. I don’t think it’s possible to decrypt because the hash algorithm is generally one way. In fact I’m pretty sure that the LDAP server doesn’t store the original password. What happens is the client hashes the password with the selected algorithm and then sends it to the LDAP server for comparison. If the hashes match, the password is correct.

There are variations on crypt. What you have to do is look at the type of hash used on the LDAP server and match that. This is specified in {} before the hash in the LDAP record. You may find that it’s {md5crypt}, not {crypt}. In which case the pam_ldap module must use the same hash algorithm.

I am sure that on the LDAP server the type of hash is {crypt}. I put the information and crypt the passwords myself with “slappasswd -h ‘{crypt}’” function.

Well make whatever you will of it, but on a RHEL system I have access to, /etc/ldap.conf contains:

pam_password md5

It’s authenticating to a Fedora Directory Server though, but I think it’s the same setting for OpenLDAP.

Thanks for trying to help me ken_yap :slight_smile:

I have already make work the authentication against my openLDAP Server with “pam_password crypt”.

I am pretty sure i have encounter the same problem previously and resolve it by remove a 32 bits package that make conflicts… but i don’t remember the name of this package.