I'm attempting to test the install procedure for libpam_ldapd on an Ubuntu/Debian Virtual machine.
I have the nscd / nslcd services off, and I'm watching the output from nslcd -d
and /var/log/auth.log
,
My filters / maps I've setup in nslcd.conf
are working correctly, I'm only using ldap for passwords - meaning I only want to check the passwords for accounts that already exist on the system, thus I'm only using:
shadow files ldap
in /etc/nsswitch.conf
The output from nslcd -d
says the bind is working fine, but the auth log is stating:
sshd[]: pam_ldap(sshd:auth): username changed from rovangju to RovangJu
sshd[]: pam_unix(sshd:account): could not identify user (from getpwnam(RovangJu))
sshd[]: Failed password for rovangju from 127.0.0.1 port 44245 ssh2
The console that's attempting the SSH login does not receive any errors:
rovangju@vbox-u64:~$ ssh 0
rovangju@0's password: [enter correct password]
Connection closed by 127.0.0.1
It's apparent that the bind is using the cn/uid from the ldap property, which is a username with capital letters, however unix usernames are all lowercase. Does anyone know how to work around this?
The closest thing I've found for this problem is here: http://forums.opensuse.org/english/get-technical-help-here/install-boot-login/445925-pam_ldap-username-case-sensitivity-opensuse-11-2-a.html
Thanks in advance!
Edit: Another kicker is this: For some reason, I can trick the module by doing this:
rovangju@vbox-u64:~$ ssh 0
rovangju@0's password: [enter WRONG password]
Permission denied, please try again
rovangju@0's password: [enter CORRECT password]
[and bingo, I'm in]
In order to circumvent the issue of the username from ldap being used (with the upper cases) - I commented out a block from the source code:
nss-pam-ldapd-0.x.x/nslcd/pam.c: L120-125