i have opendirectory (openldap) running on a macosx tiger server, with solaris 9 clients authenticating to it via LDAP, and i am trying to add a red hat enterprise linux box to the network and have it authenticate to the same LDAP server.
i have set up the GUI authentication screen and told it to use LDAP, set the IP address of my openLDAP server, but i am only able to log into the linux box using the local account i created when i set it up.
when i attempt to log in using my local account, the login is successful and i get the following log in /var/log/secure (ip address has been set to xxx for posting online, but is a real ip):
Code:
Accepted password for loki from xxx.xxx.xxx.163 port 65267 ssh2
when i try to use an account in the LDAP database i get the following in the same log:
Code:
Invalid user lokke from xxx.xxx.xxx.163
input_userauth_request: invalid user lokke
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=macosx-163.xxx.xxx.edu
pam_ldap: ldap_search_s No such object
Failed password for invalid user lokke from xxx.xxx.xxx.163 port 65284 ssh2
my /etc/pam.d/ssh file (i have been editing this and re-editing it based on many different guides i have found.)
Code:
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so broken_shadow
account sufficient /lib/security/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so
account required /lib/security/pam_permit.so
password requisite /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session optional /lib/security/pam_ldap.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
/etc/pam.d/sshd (END)
this is the original /etc/pam.d/ssh file that was created by the gui tool (same problems)
Code:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
my /etc/nsswitch.conf file:
Code:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
it seems to me that PAM is failing to contact my ldap server, but i can't figure out what is going wrong here.
does anyone know what else i can try? or what errors i should be looking for?