LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (http://www.linuxquestions.org/questions/red-hat-31/)
-   -   LDAP login failure (http://www.linuxquestions.org/questions/red-hat-31/ldap-login-failure-633982/)

boxyzzy 04-08-2008 01:43 PM

LDAP login failure
 
RHEL Server 5.1 - SELinux permissive

I've implemented LDAP authentication via our campus LDAP directory:
uri ldap://authn.directory.doodah.edu

The problem that I am experiencing is that some, not all, userid logins fail, as shown below.

Failed:
... sshd[24881]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user1
... sshd[24881]: Failed password for user1 from 123.456.78.10 port 2726 ssh2
Worked:
... sshd[25029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user2
... sshd[25029]: Accepted password for user2 from 123.456.78.10 port 2891 ssh2
... sshd[25029]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

In all cases:
1) "ldapsearch" commands are successful, even those requiring a password.
2) The failing userids can login to another computer in another department utilizing the exact same LDAP methodology.

So, the problem is unique to my system.

I am clueless. I don't know where to begin to diagnose this problem where only some logins fail.

I need help and guidance from your collective wealth of expertise.

Thanks,

Mike

boxyzzy 04-09-2008 04:13 PM

Phew! I "beat it into submission" ;)

LDAP was not the problem.

I discovered that the UID for each failing userid was less than 500.

/etc/pam.d/system-auth-ac introduced by authconfig-5.3.12-2.el5 implements this control. Changing /etc/pam.d/system-auth-ac to lower the value to, in my case, 100 corrects the login problem.

Now, I wonder, what are the ramifications of having/allowing general-puurpose users with UIDs less than the distributed convention of 500?


All times are GMT -5. The time now is 05:40 PM.