LDAP login failure
RHEL Server 5.1 - SELinux permissive
I've implemented LDAP authentication via our campus LDAP directory:
The problem that I am experiencing is that some, not all, userid logins fail, as shown below.
... sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user1
... sshd: Failed password for user1 from 123.456.78.10 port 2726 ssh2
... sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user2
... sshd: Accepted password for user2 from 123.456.78.10 port 2891 ssh2
... sshd: pam_unix(sshd:session): session opened for user user2 by (uid=0)
In all cases:
1) "ldapsearch" commands are successful, even those requiring a password.
2) The failing userids can login to another computer in another department utilizing the exact same LDAP methodology.
So, the problem is unique to my system.
I am clueless. I don't know where to begin to diagnose this problem where only some logins fail.
I need help and guidance from your collective wealth of expertise.
Phew! I "beat it into submission" ;)
LDAP was not the problem.
I discovered that the UID for each failing userid was less than 500.
/etc/pam.d/system-auth-ac introduced by authconfig-5.3.12-2.el5 implements this control. Changing /etc/pam.d/system-auth-ac to lower the value to, in my case, 100 corrects the login problem.
Now, I wonder, what are the ramifications of having/allowing general-puurpose users with UIDs less than the distributed convention of 500?
|All times are GMT -5. The time now is 11:48 PM.|