OpenSSH public key problem with Solaris 10 and LDAP users?

Peter Stuge stuge-openssh-unix-dev at
Wed Aug 15 02:33:38 EST 2007

On Tue, Aug 14, 2007 at 03:43:04PM +0200, Alexander Skwar wrote:
> Yep. Public Key auth is certainly auth without a password :) But
> why don't I get this message, when I login with a good user?

Again - something is different for those users, somewhere.

> >> | ==> ./remote/winds06/local4/debug <==
> >> | Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <=
> >> | bdb_equality_candidates: (memberUid) index_param failed (18) Aug 14
> >> | 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <=
> >> | bdb_equality_candidates: (uid) index_param failed (18)
> > 
> > Or this.
> That's just about a missing index. Important if you're interested
> in performance.
> And I also get this for good users.

Ok, so that can be ruled out.

> >> Anyway. Still looks like PAM / LDAP issue.
> > 
> > Yes, it is.
> With a strange coincidence with SSH.

OpenSSH introduces a lot of third-party PAM code to a system so it's
not all that strange.

> > Something is different in the LDAP data stored for the users,
> > probably because of how they were created.

> I copied the new user, using the data from a working user.

So that's one way.

> I also tried to create a new user "from scratch".

That's two.

Possibly the working users were created in bulk (three) or just using
different versions of some software (four). Creating new users the
exact same way as the working users were created should still
succeed though. If you get that far, you get to reverse engineer what
is actually going on to find the difference.

> Having a look at the LDIF exports, I cannot see any differences.

But this is not the whole truth. There's a lot of software involved
in writing and reading that data, some of it may implement a policy
according to something else than the data in the LDIF export.

> Anyway. Probably really a LDAP thing.

Can you test if these users are allowed through when someone else
than OpenSSH uses PAM to do passwordless logins? Any server is good.

If that works, then there's probably a problem in OpenSSH with how
PAM is worked on the system. I recall there being a PAM test harness
which mimics what OpenSSH does - but I don't remember if it's
included in the distribution or available separately?

My guess is that the problem is with writing to LDAP, rather than
reading from it.


More information about the openssh-unix-dev mailing list