[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap authentication

Bobby Cheema wrote:

Hi all Gurus

I want to do authentication against ldap. my ldap appeared to be set properly i.e from client i can run ldapsearch with -Y gssapi and it works fine. when i do getent passwd i do get responce from ldap.but when i do ssh to the server (enbled in pam) i get the following message in my logs

Feb 13 16:06:21 medusa05 sshd(pam_unix)[29603]: check pass; user unknown
Feb 13 16:06:21 medusa05 sshd[29603]: PAM-listfile: getgrgid(8509) failed
Feb 13 16:06:21 medusa05 sshd[29603]: pam_krb5afs: authentication succeeds for `pche066'
Feb 13 16:06:21 medusa05 sshd[29603]: pam_krb5afs: Got 130 extra bytes in v4 TGT

It seems your sshd is using pam_krb5afs instead of pam_ldap. Or is this on purpose ?

can anybody hep me in rectifying this problem ? secondly in my ldap database i have following entry

 # pche066, People, cs.auckland.ac.nz
dn: uid=pche066,ou=People,dc=cs,dc=auckland,dc=ac,dc=nz
description: created by ldapa - `me mi my mo, me mo my me'
cn: pche066
objectClass: posixAccount
objectClass: account
objectClass: top
loginShell: /bin/bash
userPassword:: e2tlcmJlcm9zfXBjaGUwNjZARUMuQVVDS0xBTkQuQUMuTlo=
uid: pche066
homeDirectory: /afs/ec.auckland.ac.nz/users/p/c/pche066/unixhome
gecos: pche066
uidNumber: 22091
gidNumber: 8509

well, do i have to change userPassword to make it read as userPassword: {KERBEROS}pche066@EC.AUCKLAND.AC.NZ

to make ssh work

If you want to authenticate against a KDC why use LDAP in between ? use
the GSSAPI patches fot openssh (assuming that's what you're using).