I have full admin access to the AD '08 server I'm trying to authenticate towards.

The error code means invalid credentials, but I wish this was as simple as me typing in the wrong password.

First of all, I have a working Apache mod_ldap configuration against the same domain.

AuthType basic
AuthName "MYDOMAIN"
AuthBasicProvider ldap
AuthLDAPUrl "ldap://10.220.100.10/OU=Companies,MYCOMPANY,DC=southit,DC=inet?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN svc_webaccess_auth
AuthLDAPBindPassword mySvcWebAccessPassword
Require ldap-group CN=Service_WebAccess,OU=Groups,OU=MYCOMPANY,DC=southit,DC=inet

I'm showing this because it works without the use of any Kerberos, as so many other guides out there recommend for system authentication to AD.

Now I want to translate this into pam_ldap.conf for use with OpenSSH.

The /etc/pam.d/common-auth part is simple.

auth sufficient pam_ldap.so debug

This line is processed before any other.

I believe the real issue is configuring pam_ldap.conf.

host 10.220.100.10
base OU=Companies,MYCOMPANY,DC=southit,DC=inet
ldap_version 3
binddn svc_webaccess_auth
bindpw mySvcWebAccessPassword

scope sub
timelimit 30

pam_filter objectclass=User

nss_map_attribute uid sAMAccountName
pam_login_attribute sAMAccountName
pam_password ad

Now I've been monitoring ldap traffic on the AD host using wireshark. I've captured a successful session from Apache's mod_ldap and compared it to a failed session from pam_ldap.

The first bindrequest is a success using the svc_webaccess_auth account, the searchrequest is a success and returns a result of 1. The last bindrequest using my user is a failure and returns the above error code.

Everything looks identical except for this one line in the filter for the searchrequest, here showing mod_ldap.

Filter: (&(objectClass=user)(sAMAccountName=ivasta))

The second one is pam_ldap.

Filter: (&(&(objectclass=User)(objectclass=User))(sAMAccountName=ivasta))

My user is named ivasta. However, the searchrequest does not return failure, it does return 1 result. I've also tried this with ldapsearch on the cli.

It's the bindrequest that follows the searchrequest that fails with the above error code 52e.

Here is the failure message of the final bindrequest.

resultcode: invalidcredentials (49)
80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772

This should mean invalid password but I've tried with other users and with very simple passwords.

Does anyone recognize this from their own struggles with pam_ldap and AD?

Edit: Worth noting is that I've also tried pam_password crypt, and pam_filter sAMAccountName=User because this worked when using ldapsearch.

ldapsearch -LLL -h 10.220.100.10 -x -b "ou=Users,ou=mycompany,dc=southit,dc=inet" -v -s sub -D svc_webaccess_auth -W '(sAMAccountName=ivasta)'

This works using the svc_webaccess_auth account password. This account has scan access to that OU for use with apache's mod_ldap.