[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication failure logs with LDAP

To: openldap-software@OpenLDAP.org
Subject: Authentication failure logs with LDAP
From: "Rickard, Matthew" <mjr5@mail3.cs.state.ny.us>
Date: Tue, 17 Jun 2003 08:31:42 -0400

I'm setting up a RedHat machine using OpenLDAP to authenticate with a
Solaris Iplanet LDAP server.  I've used authconfig to set up the initial
configuration, and I'm able to successfully login to the system with LDAP
users.  The problem is that each time I log in with an LDAP user, I'm
getting some log errors about an authentication failure.  From the logs, it
look like it is checking the local passwd file first and complaining when it
can't find the appropriate user, then going to LDAP to authenticate
successfully.  This is the behavior I want, but I just don't want the
authentication failure notices in the logs if the user is successfully found
in LDAP. The relevant portion of the auth.log is shown below (hostnames and
ip addresses have been removed):

Jun 16 08:32:06 logger sshd(pam_unix)[7003]: check pass; user unknown
Jun 16 08:32:06 logger sshd(pam_unix)[7003]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=hostname.hidden
Jun 16 08:32:06 logger sshd[7003]: Accepted password for mjr5 from
xxx.xxx.xxx.xxx port 1050 ssh2
Jun 16 08:32:06 logger sshd(pam_unix)[7005]: session opened for user mjr5 by
(uid=4100)


For those not familiar with the changes RedHat's authconfig utility makes,
the relevant portion of /etc/nsswitch.conf is:
passwd:     files ldap
shadow:     files ldap
group:      files ldap


And /etc/pam.d/system-auth contains:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so


If you have any ideas on how to get rid of these warnings, please let me
know.  Thanks.

Prev by Date: Re: bind using username instead of dn
Next by Date: Re: bind using username instead of dn
Index(es):
- Chronological
- Thread