PAM Authentication with LDAP on Debian Jessie Not Finding LDAP Users
Solution 1
When you run getent passwd
, do you see your LDAP users listed? If not, make sure libnss-ldapd
is installed, and run dpkg-reconfigure libnss-ldapd
and make sure at least the passwd
database is enabled (and you'll probably want group
and shadow
as well, sooner or later).
If getent passwd
mentions your LDAP users but you can't auth as one, run pam-auth-update
and make sure LDAP authentication is enabled and nslcd
is running.
If nscd
(or some variant such as unscd
) is installed, I suggest stopping it while troubleshooting as it could return cached inaccurate data.
Information about what pam_ldap
is up to is logged to /var/log/auth.log
; information about what nslcd
is up to is logged to /var/log/syslog
; and on the slapd
side, turning the log level up to stats
will let you see the actual queries nslcd
is issuing, whether they were successful, and the number of results returned.
Hope that helps!
Solution 2
If you want to use an existing working OpenLDAP server on your network under Debian Jessie then you should be using the following packages :
libnss-ldap
libpam-ldap
rather than
libnss-ldapd
libpam-ldapd
Related videos on Youtube
Tohuw
I really hate coffee in cheap foam cups. It condensates in such an unsettling manner. Have you ever reheated a cheap foam cup of coffee, or just left it to sit around awhile? The coffee tries to escape. It doesn’t even want to be in that cup. And I can understand why: cheap foam cups make coffee taste horrible. Now that the air is clear between us, I trust we have a better understanding.
Updated on September 18, 2022Comments
-
Tohuw almost 2 years
Debian Jessie (specifically, Debian Server Wheezy x64 with testing repos)
OpenLDAP 2.4.39
libpam-ldapd 0.9.4-1
Upon installing libpam-ldapd, the dpkg configuration asked for my LDAP address information (ldapi:\\localhost) and correctly detected my server base.
I've tried to follow the Debian Wiki articles, but there are references to files that do not exist and scant information to indicate how I might be sure LDAP is being consulted.
I have OpenLDAP configured and the inetorgperson and NIS schemas loaded. The users ought to have all the correct attributes. Right now, I'm just trying to determine if LDAP is even being consulted, because it seems it isn't.