[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problems with ldap and ssh

Here's an answer that I finally found after having that same trouble as Rolandas Juodzbalis in his post on this list way back on Mon, 9 Jul 2001 10:11:12 +0300 (EEST). I've spent several hours searching Google, RedHat, OpenLDAP, and OpenSSH for an answer but only found posts with similar questions and no answers.

In a nutshell:
I'm running RedHat 9 using OpenLDAP 2.0.27 and Pam 0.75 for the client. The LDAP server is running OpenBSD 3.4 and OpenLDAP 2.0.27. After configuring the client to use LDAP authentication by running RedHat's `authconfig`, the client's SSH daemon would _only_ successfully authenticate users via LDAP that also happened to be in the /etc/passwd file. For users that were not known locally, the client was asking the LDAP server for a uid=NOUSER and getting a negative response. Other mechanisms using PAM authentication such as "su - someuser" worked okay, but when using SSH the client was not asking for the correct user from the LDAP server.

It has turned out to be a SSH configuration issue where sshd has trouble using PAM with a default setting in the "/etc/ssh/sshd_config" file. By setting the parameter "PAMAuthenticationViaKbdInt" to "yes", the sshd can now communicate with PAM well enough to ask the LDAP server for the correct account. The sshd_config man page says that doing this bypasses the SSH "PasswordAuthentication" setting, but that default is "yes" anyway, so in my case I didn't create a security problem.

Hopefully this information can help save someone else a little time.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature