I am running Red Hat Enterprise Linux 4 using OpenLDAP 2.3 for authentication. As part of a security audit we have been asked to suppress any incorrect login information. Our system boots up to a command line login prompt and if an incorrect username is entered then an error message to that effect is displayed and if an incorrect password is entered then a message stating that password is incorrect is displayed. I am not even sure where I should be looking to solve this. I have tried the OpenLDAP documentation and PAM documentation with no luck. What I am trying to achieve is fot the system to report "login incorrect" whether the username or password is incorrect.

Thanks Martin

This does not come from LDAP! I'm not sure where it is setup in RHEL, but it's within the individual machine.

Is it coming from the login program itself? If you get the source for it that message is in passwd.c and the Login incorrect one is in login.c otherwise it probably is from pam getting passed back, so probably still supressible in login (take a look at the PAM_FAIL_CHECK macro)

I have an old system that also runs RHEL 4 but is using OpenLDAP 2.2 and the only error messages at the login prompt are "Login incorrect". On the system with OpenLDAP 2.3 running, the error messages are as follows:

Incorrect username -

login (pam_unix)[4531]: check pass; user unknown
Login incorrect

Incorrect password -

login: pam_ldap: error trying to bind as user "uid=test, ou=People, dc=example, dc=co.uk" (invalid credentials)
Login incorrect

In the OpenLDAP config files I have tried to play with the ppolicy_use_lockout value in my slapd.conf by having it in and by removing it with no difference to the error messages. That is the only variable that appears to have anything to do with error messages in OpenLDAP. I still suspect my problem is somewhere in PAM but cannot find anything documented.

Martin