Re: openldap linux authentication problems.

[L Nehring <nehring@newparticles.com>]

Your problem is most likely SSH configuration.  I ran up against a 
similar problem after implementing LDAP.  After spending a couple days 
banging my head against the wall, I found some information that said 
there are issues with SSH and PAM.

By setting this line in my /etc/ssh/sshd_config, my ldap users can now 
authenticate without being listed in /etc/passwd:

PAMAuthenticationViaKbdInt yes

There is a warning comment in the sshd_config file about this setting, 
but in my case it does not affect my security model.
Give it a quick test and see if it works for you.

r,
Lance
http://www.newparticles.com/

John Tinpot wrote:

> I am experiencing this problem of authentication thru
> ldap, when ldap is on a machine on network and also
> when slapd is running locally on a RH 9.0.
>  I have followed steps in various openldap-linux
> authentication guides, and one of my machien actually
> authenticates me to the domain. The problem is with
> this particular machine.
>  I compiled and built openldap 2.1.25, configured
> it.. (attaching the slapd.conf) also downloaded
> pam_ldap and nss_ldap packages, and compiled them. 
>  The problem occurs when i do authconfig and shift to
> ldap for authentication. None of my users (me and
> other test users;) ) is able to authenticate, except
> when user is listed in /etc/passwd database. If the
> user exists only in ldap directory, he is able to bind
> to the directory. Then system times out and connection
> is closed and system gives another login prompt.
> If users are local (listed in /etc/passwd) then they
> get authenticated very easily.
> the slapd.conf follows.
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/nis.schema
> include		/usr/local/etc/openldap/schema/misc.schema
> include	
> /usr/local/etc/openldap/schema/inetorgperson.schema
>
> loglevel	904
> pidfile		/usr/local/var/slapd.pid
> argsfile	/usr/local/var/slapd.args
> database	bdb
> suffix		"dc=lt,dc=com"
> rootdn		"cn=manager,dc=lt,dc=com"
> rootpw		secret
> directory	/usr/local/var/openldap-data
> index	objectClass	eq
>
> ###################
> my ldap.conf is as follows
> host 198.162.0.200
> base dc=lt,dc=com
> ldap_version 3
> binddn cn=proxyuser,dc=lt,dc=com
> bindpw proxy
> rootbinddn cn=manager,dc=lt,dc=com
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_template_login_attribute uid
> pam_password md5
> nss_base_passwd		ou=People,dc=lt,dc=com?one
> nss_base_shadow		ou=People,dc=lt,dc=com?one
> nss_base_group		ou=Group,dc=lt,dc=com?one
> nss_base_hosts		ou=Hosts,dc=lt,dc=com?one
> nss_map_objectclass posixAccount User
>
> and system logs show these messages
> (/var/log/messages)
> -------------------------------------------------------
> Jan  3 16:23:32 LTPMS modprobe: modprobe: Can't locate
> module char-major-10-134
> Jan  3 16:25:15 LTPMS modprobe: modprobe: Can't locate
> module char-major-10-134
> (these messages appear everytime i try to
> authenticate on a tty or thru telnet. and even for
> local system users)
>
> If I try to ssh this machine with a user only existing
> in directory I get a message saying 
> Illegal user julia from 192.168.0.200
> _______________________________________________________
> Pl. note that with the same configuration, my other
> machien authenticates well. But this machine when I
> use as a client, it denies me any authentication.
>
> Any clues?? 
> PS: does anybody feel that this char-major-10-134 is
> somehow connected to AAA??? 
>
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>