-   Red Hat (
-   -   LDAP login failure (

boxyzzy 04-08-2008 02:43 PM

LDAP login failure
RHEL Server 5.1 - SELinux permissive

I've implemented LDAP authentication via our campus LDAP directory:
uri ldap://

The problem that I am experiencing is that some, not all, userid logins fail, as shown below.

... sshd[24881]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= user=user1
... sshd[24881]: Failed password for user1 from 123.456.78.10 port 2726 ssh2
... sshd[25029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= user=user2
... sshd[25029]: Accepted password for user2 from 123.456.78.10 port 2891 ssh2
... sshd[25029]: pam_unix(sshd:session): session opened for user user2 by (uid=0)

In all cases:
1) "ldapsearch" commands are successful, even those requiring a password.
2) The failing userids can login to another computer in another department utilizing the exact same LDAP methodology.

So, the problem is unique to my system.

I am clueless. I don't know where to begin to diagnose this problem where only some logins fail.

I need help and guidance from your collective wealth of expertise.



boxyzzy 04-09-2008 05:13 PM

Phew! I "beat it into submission" ;)

LDAP was not the problem.

I discovered that the UID for each failing userid was less than 500.

/etc/pam.d/system-auth-ac introduced by authconfig-5.3.12-2.el5 implements this control. Changing /etc/pam.d/system-auth-ac to lower the value to, in my case, 100 corrects the login problem.

Now, I wonder, what are the ramifications of having/allowing general-puurpose users with UIDs less than the distributed convention of 500?

All times are GMT -5. The time now is 10:59 AM.