User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for

O. Hartmann ohartman at
Sat Mar 19 20:16:04 UTC 2011

On 03/18/11 17:02, Dan Nelson wrote:
> In the last episode (Mar 18), O. Hartmann said:
>> I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent
>> OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an
>> UBUNTU 10.10 server (using openldap 2.4.23).
>> Most of the installation on the Ubuntu server has been successfully done
>> (I'm not familiar with Linux, but it seems that things like pam and ldap
>> are quite similar to FreeBSD's installation).
>>   From the Linux/Ubuntu server, I'm able to get all users and groups via
>> 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up
>> user is successfully.
>> But when it comes to a login via sshd, login fails with this error
>> (loged on Linux Ubuntu in /var/log/auth.log):
>> Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from port 40734 ssh2
>> Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required)
> "Confidentiality required" means that the server is refusing to authenticate
> over a non-encrypted connection.  Try switching pam_ldap to ldaps (in your
> pam ldap.conf, either change your "uri" lines to ldaps:// or add the line
> "ssl on") and see if that works.

I managed it!

My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the 
follwoing entries, which seems to confuse Linux (but not the FreeBSD 
clients, no matter why):

olcSecurity: simple_bind=256

After reducing this security strenth value down to

olcSecurity: simple_bind=128

everything works fine so far.

At the moment, I have no explanation for this. Either FreeBSD clients 
are always binding with a higher security strength level or ignoring this.



More information about the freebsd-questions mailing list