[Date Prev][Date Next]
RE: problems with ldap and ssh
Here's an answer that I finally found after having that same trouble as
Rolandas Juodzbalis in his post on this list way back on Mon, 9 Jul 2001
10:11:12 +0300 (EEST). I've spent several hours searching Google,
RedHat, OpenLDAP, and OpenSSH for an answer but only found posts with
similar questions and no answers.
In a nutshell:
I'm running RedHat 9 using OpenLDAP 2.0.27 and Pam 0.75 for the
client. The LDAP server is running OpenBSD 3.4 and OpenLDAP 2.0.27.
After configuring the client to use LDAP authentication by running
RedHat's `authconfig`, the client's SSH daemon would _only_ successfully
authenticate users via LDAP that also happened to be in the /etc/passwd
file. For users that were not known locally, the client was asking the
LDAP server for a uid=NOUSER and getting a negative response. Other
mechanisms using PAM authentication such as "su - someuser" worked okay,
but when using SSH the client was not asking for the correct user from
the LDAP server.
It has turned out to be a SSH configuration issue where sshd has trouble
using PAM with a default setting in the "/etc/ssh/sshd_config" file.
By setting the parameter "PAMAuthenticationViaKbdInt" to "yes", the
sshd can now communicate with PAM well enough to ask the LDAP server for
the correct account. The sshd_config man page says that doing this
bypasses the SSH "PasswordAuthentication" setting, but that default is
"yes" anyway, so in my case I didn't create a security problem.
Hopefully this information can help save someone else a little time.
Description: S/MIME Cryptographic Signature