i have openldap and server Debian 8. i want set ldap authentication. i install ldap-utils libnss-ldapd libpam-ldapd and set them.
# getent passwd user.name
user.name:x:1537:3174:User Name:/home/user.name:/bin/bash
# getent shadow user.name
user.name:*:15140:0:99999:7:::0
when i login i have error:
Sep 19 17:49:49 LDAPClient login[475]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=name.user
Sep 19 17:49:49 LDAPClient login[475]: pam_ldap(login:auth): Authentication failure; user=name.user`
Sep 19 17:49:53 LDAPClient login[475]: FAILED LOGIN (1) on '/dev/tty1' FOR 'name.user', Authentication failure`
i also set ssh, but have same error:
Sep 19 17:46:37 LDAPClient sshd[807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.60.92 user=name.user
Sep 19 17:46:37 LDAPClient sshd[807]: pam_ldap(sshd:auth): Authentication failure; user=name.user
Sep 19 17:46:39 LDAPClient sshd[807]: Failed password for name.user from 192.168.60.92 port 63122 ssh2
Sep 19 17:46:43 LDAPClient sshd[807]: pam_ldap(sshd:auth): Authentication failure; user=name.user
Sep 19 17:46:45 LDAPClient sshd[807]: Failed password for name.user from 192.168.60.92 port 63122 ssh2
How to fix it? I don't have idea:(
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
the problem was in acl:
olcAccess: {2}to dn.subtree="ou=People,dc=example,dc=com"
by peername.ip="192.168.250.78" read
by peername.ip="xx.xx.xx.xx" read
by peername.ip="192.168.250.204" read
by dn="cn=replica,dc=example,dc=com" read
by group.exact="cn=Directory Administrators,dc=example,dc=com" manage
by dn.subtree="ou=Special Users,dc=example,dc=com" read
by dn.subtree="ou=Special Users,dc=example,dc=com" read
!!!by * none
olcAccess: {5}to *
by peername.ip="xx.xx.xx.xx" read
by peername.ip="192.168.250.204" read
by group.exact="cn=Directory Administrators,dc=example,dc=com" manage
by dn="cn=admin,dc=example,dc=com" write
by dn="cn=replica,dc=example,dc=com" read
by dn.subtree="ou=Special Users,dc=example,dc=com" read
!!!by * none
Best Answer
If you check your shadow you have not set a password for you account.
user.name:*:15140:0:99999:7:::0
----*
means no password.The system does not allow no password login.
TRY to create a password for your account and retry to login