You are not logged in.
There are many pages describing using LDAP for authentication, but none of them are quite like my setup.
I had this working before (RHEL 4.4) but I've been wanting to upgrade the box to Arch for a while. Yesterday, the drive died so now's my chance to upgrade the OS.
Anyway, the setup that I had working was pretty nice:
Users all have accounts in the corp LDAP server (over which I have no control)
I would manually add usernames to /etc/passwd (but not /etc/shadow) and create home dirs
At login, sshd would use pam which would use ldap to verify passwords
It all worked great, I never had to manage user passwords, they were always verified against ldap.
Unfortunately, the pam config I used in RHEL4 has since been deprecated (cf. pam_stack.so) so I'm now looking for help to get a current pam version configured.
Most guides (e.g. http://wiki.archlinux.org/index.php/HOW … entication ) are for setups where all the account info is in LDAP. That's not my situation, and since I don't control the LDAP server (or its contents) I can't go that route. Instead, I need to use LDAP only for password verification.
My /etc/pam.d/sshd is currently:
#%PAM-1.0
auth required pam_securetty.so #Disable remote root
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_time.so
password required pam_unix.so
session required pam_unix_session.so
session required pam_limits.so
and that's not quite working.
When I try to login via ssh, I find the following logged in /var/log/auth.log:
Sep 21 04:22:47 archbox sshd[23183]: Failed password for amigo from 10.188.49.49 port 57260 ssh2
Yet when I run tcpdump and review the traffic going to the ldap server, I see the auth request sent and I see the reply from the ldap server that says "resultCode: success".
Any pointers for configuring pam and/or getting more detailed logging are greatly appreciated.
--
The Amigo
Offline