RE: problems with ldap and ssh

[L Nehring <nehring@newparticles.com>]

Here's an answer that I finally found after having that same trouble as 
Rolandas Juodzbalis in his post on this list way back on Mon, 9 Jul 2001 
10:11:12 +0300 (EEST).    I've spent several hours searching Google, 
RedHat, OpenLDAP, and OpenSSH for an answer but only found posts with 
similar questions and no answers.

In a nutshell:
I'm running RedHat 9 using OpenLDAP 2.0.27 and Pam 0.75 for the 
client.   The LDAP server is running OpenBSD 3.4 and OpenLDAP 2.0.27.   
After configuring the client to use LDAP authentication by running 
RedHat's `authconfig`, the client's SSH daemon would _only_ successfully 
authenticate users via LDAP that also happened to be in the /etc/passwd 
file.   For users that were not known locally, the client was asking the 
LDAP server for a uid=NOUSER and getting a negative response.   Other 
mechanisms using PAM authentication such as "su - someuser" worked okay, 
but when using SSH the client was not asking for the correct user from 
the LDAP server.

It has turned out to be a SSH configuration issue where sshd has trouble 
using PAM with a default setting in the "/etc/ssh/sshd_config" file.   
By setting the parameter "PAMAuthenticationViaKbdInt" to "yes",  the 
sshd can now communicate with PAM well enough to ask the LDAP server for 
the correct account.   The sshd_config man page says that doing this 
bypasses the SSH "PasswordAuthentication" setting, but that default is 
"yes" anyway, so in my case I didn't create a security problem.

Hopefully this information can help save someone else a little time.

Lance
http://www.newparticles.com/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature