see "Additional Information" for LDAP-Setup. I can't authenticate users over a referral with pam_ldap. It works if I talk directly to both servers. Reproducible: Always Steps to Reproduce: 1. Setup two LDAP-Servers with Referral 2. Setup pam_ldap 3. Authenticate as 1234567 (user on server2) Actual Results: The error message is: pam_ldap: error trying to bind as user "uid=1234567,dc=testsystem,dc=de" (Invalid credentials) It seems to be the following lines: msgid = ldap_simple_bind (session->ld, session->info->userdn, session->info->userpw); session->info->userdn is correct: uid=1234567,dc=testsystem,dc=de tcpdump shows what's happening: connection for user which is on server 1 (trace communication to server1): 0x0040: 7569 643d XXXX XXXX XXXX XX2c 6f75 3d50 uid=XXXXXXX,ou=P 0x0050: 656f 706c 652c 6463 3dXX XXXX XXXX XXXX eople,dc=XXXXXXX 0x0060: 2c64 633d 6465 8015 5445 5354 5445 5354 ,dc=de..TESTTEST 0x0070: 5445 5354 3132 3334 3536 3738 39 TEST123456789 connection for a user which is on server2 (trace communication to server1) 0x0040: 7569 643d XXXX XXXX XXXX 2c64 633d XXXX uid=XXXXXX,dc=XX 0x0050: XXXX XX2c 6463 3d64 6580 1154 4553 5454 XXX,dc=de..TESTT 0x0060: 4553 5431 3233 3435 3637 3839 EST123456789 -> password is send to server 1 Doing a trace for the communication to server 2 reveals that no password is sent to server 2. Expected Results: Authenticate against OpenLDAP with referrals should work. Setup two OpenLDAP-Servers. Both allow anonymous binding and normal binding (no sasl, no tls). No BindDN for any server. Server 1: dc=example,dc=de Server 2: dc=testsystem,dc=de Add a referral on server ou=external,dc=example,dc=de pointing to server 2. Setup the ldap.config to query both dn's: # server 1 nss_base_passwd ou=People,dc=example,dc=de?one?objectclass=userAccount)(&(host=host.example.de)(userAccess=*) nss_base_shadow ou=People,dc=example,dc=de?one?objectclass=userAccount # server 2 over Referral nss_base_passwd ou=external,dc=example,dc=de?one nss_base_shadow ou=external,dc=example,dc=de?one
Which version(s) is this about?
(In reply to comment #1) > Which version(s) is this about? oh, sorry. I've encountered that problem with 1.83 but also tried 1.84
This seems to be known to upstream, please comment on their bug (in the URL), and see if you can work it out with them.
(In reply to comment #3) > This seems to be known to upstream, please comment on their bug (in the URL), > and see if you can work it out with them. I've submitted it as new bug because if you get so far to change your password, your authenticate should have worked ;)
any news?
Upstream bugzilla seems to have gone, and there are no new upstream releases for years now. I do see a changelog entry for 185 that might fix the issue: https://github.com/PADL/pam_ldap/blob/master/ChangeLog#L13
please retry with 186-r1 then as it should include that fix
