Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-25-2007, 09:51 AM   #1
LQ Newbie
Registered: Jul 2007
Distribution: ubuntu/red hat
Posts: 8

Rep: Reputation: 0
RHEL5 ldap/pam client issue

i have opendirectory (openldap) running on a macosx tiger server, with solaris 9 clients authenticating to it via LDAP, and i am trying to add a red hat enterprise linux box to the network and have it authenticate to the same LDAP server.

i have set up the GUI authentication screen and told it to use LDAP, set the IP address of my openLDAP server, but i am only able to log into the linux box using the local account i created when i set it up.

when i attempt to log in using my local account, the login is successful and i get the following log in /var/log/secure (ip address has been set to xxx for posting online, but is a real ip):

Accepted password for loki from port 65267 ssh2
when i try to use an account in the LDAP database i get the following in the same log:

Invalid user lokke from
input_userauth_request: invalid user lokke
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
pam_ldap: ldap_search_s No such object
Failed password for invalid user lokke from port 65284 ssh2
my /etc/pam.d/ssh file (i have been editing this and re-editing it based on many different guides i have found.)

auth       required     /lib/security/
auth       sufficient   /lib/security/ likeauth nullok
auth       sufficient   /lib/security/ use_first_pass
auth       required     /lib/security/

account    required     /lib/security/ broken_shadow
account    sufficient   /lib/security/ uid < 100 quiet
account    [default=bad success=ok user_unknown=ignore] /lib/security/
account    required     /lib/security/

password   requisite    /lib/security/ retry=3
password   sufficient   /lib/security/ nullok use_authtok md5 shadow
password   sufficient   /lib/security/ use_authtok
password   required     /lib/security/

session    optional     /lib/security/
session    required     /lib/security/ skel=/etc/skel/ umask=0022
/etc/pam.d/sshd (END)
this is the original /etc/pam.d/ssh file that was created by the gui tool (same problems)

auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required
my /etc/nsswitch.conf file:

# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Legal entries are:
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
it seems to me that PAM is failing to contact my ldap server, but i can't figure out what is going wrong here.

does anyone know what else i can try? or what errors i should be looking for?
Old 07-26-2007, 04:12 PM   #2
Registered: Mar 2007
Posts: 41

Rep: Reputation: 15
I was just doing something like this recently, trying to get CentOS 5 clients to LDAP-authenticate logins to an RHEL4 LDAP server.

It was a huge pain in the ass. =/

Yet somehow I got it working. There's probably a billion reasons why it's not working for you right now, but I can suggest a few pointers:

1. Are you sure it's connecting to your LDAP server? Post something relevant from the LDAP server log, perhaps.

2. Also check /etc/ldap.conf and /etc/openldap/ldap.conf files. Post them up.

3. Try it first without SSL/TLS, if your LDAP server will let you authenticate without them. Then you can worry about SSL/TLS later (which is an entirely new set of problems.)

4. Can you login as a local user when LDAP is unreachable? What happened to me was I had everything working, then sudddenly realized I couldn't login as the local root user when LDAP was down.
Old 07-27-2007, 08:52 AM   #3
LQ Newbie
Registered: Jul 2007
Distribution: ubuntu/red hat
Posts: 8

Original Poster
Rep: Reputation: 0
i just found the error.

the search base settings on the server were set wrong (set to the hostname of the old LDAP master (which is now the backup), so i had to change the setting on the linux box to match the setting on the server (short term solution, until i can correct the setting on the server on a weekend and fix all the client machines to match.) can't do that now, cause it works for the moment and people are working.

thanks for the advice, it got me checking the LDAP server logs and settings, which gave me the solution.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help Me!!! ( Lotus Notes Client 8-beta3 on RHEL5 ) Sergey_RU_M Linux - Software 0 06-23-2007 08:47 AM
vsftpd using Ldap+pam authentication issue PhillipHuang Linux - Software 1 09-26-2006 10:43 PM
pam LDAP client auth with multi OU's paul_mat Linux - Networking 0 11-02-2005 04:40 PM
pam + ldap client paul_mat Linux - Networking 0 10-25-2005 10:55 PM
Samba, PAM and LDAP Linh Linux - Networking 0 05-09-2003 10:07 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:12 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration