Linux – libpam_ldapd – pam_ldap(sshd:account): ‘Could not identify user’


I'm attempting to test the install procedure for libpam_ldapd on an Ubuntu/Debian Virtual machine.

I have the nscd / nslcd services off, and I'm watching the output from nslcd -d and /var/log/auth.log,

My filters / maps I've setup in nslcd.conf are working correctly, I'm only using ldap for passwords – meaning I only want to check the passwords for accounts that already exist on the system, thus I'm only using:

shadow files ldap in /etc/nsswitch.conf

The output from nslcd -d says the bind is working fine, but the auth log is stating:

sshd[]: pam_ldap(sshd:auth): username changed from rovangju to RovangJu
sshd[]: pam_unix(sshd:account): could not identify user (from getpwnam(RovangJu))
sshd[]: Failed password for rovangju from port 44245 ssh2

The console that's attempting the SSH login does not receive any errors:

rovangju@vbox-u64:~$ ssh 0
rovangju@0's password: [enter correct password]
Connection closed by

It's apparent that the bind is using the cn/uid from the ldap property, which is a username with capital letters, however unix usernames are all lowercase. Does anyone know how to work around this?

The closest thing I've found for this problem is here:

Thanks in advance!

Another kicker is this:
For some reason, I can trick the module by doing this:

rovangju@vbox-u64:~$ ssh 0
rovangju@0's password: [enter WRONG password]
Permission denied, please try again
rovangju@0's password: [enter CORRECT password]
[and bingo, I'm in]

Best Answer

In order to circumvent the issue of the username from ldap being used (with the upper cases) - I commented out a block from the source code:

nss-pam-ldapd-0.x.x/nslcd/pam.c: L120-125

/* check if the username is different and update it if needed */
/*if (strcmp(username,value)!=0)
  log_log(LOG_INFO,"username changed from \"%s\" to \"%s\"",username,value);