Yubico Forum

I did a quick search and didn't see any existing topics I could post this in.

I'm using the PAM module along with Radius and LDAP to authenticate users on a VPN. Radius is configured to use the Linux PAM system.

The Radius PAM entry is configured to use two factor authentication (unix_password + otp). This is done by using the yubico PAM to authenticate the OTP, then passing the remainder of the password to common-auth which checks with LDAP. The username/yubikeyid mapping is done with an authfile.

This all works just fine.

I ran into trouble when I tried to move the mapping into LDAP. Upon specifying the required parameters (ldapserver, ldapdn, user_attr, yubi_attr) the authentication failed and my log file contained the following:


The ldap_search_ext_s: No such object error indicates that it authenticated and performed a search just fine and came back with nothing. Upong inserting the same search criteria into a python script I wrote for testing, I received the same results.

I began to play around and noticed that if I used the following criteria, I was able to retrieve the necessary data:



I rewrote the authorize_user_token_ldap to reflect these changes and did not receive an error from ldap_search_ext_s. I was about to rewrite the code the parses that results when I realized this probably isn't the way to go.

Does anybody else have the mapping stored in LDAP working "out of the box"? Have I mis-configured LDAP somehow?


EDIT: I almost forgot. My very first attempt yielded a "Protocol Error" from ldap_simple_bind_s. I had to add the following lines to move past it:

Server Information that is typically requested:

1) OS: Ubuntu 9.10
2) Yubico PAM Version: 2.2
3) LDAP: 2.4.18
4) /etc/pam.d/RADIUSD


5) Installed my own validation server