LDAP login failure
RHEL Server 5.1 - SELinux permissive
I've implemented LDAP authentication via our campus LDAP directory: uri ldap://authn.directory.doodah.edu The problem that I am experiencing is that some, not all, userid logins fail, as shown below. Failed: ... sshd[24881]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user1 ... sshd[24881]: Failed password for user1 from 123.456.78.10 port 2726 ssh2 Worked: ... sshd[25029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc19.dept.doodah.edu user=user2 ... sshd[25029]: Accepted password for user2 from 123.456.78.10 port 2891 ssh2 ... sshd[25029]: pam_unix(sshd:session): session opened for user user2 by (uid=0) In all cases: 1) "ldapsearch" commands are successful, even those requiring a password. 2) The failing userids can login to another computer in another department utilizing the exact same LDAP methodology. So, the problem is unique to my system. I am clueless. I don't know where to begin to diagnose this problem where only some logins fail. I need help and guidance from your collective wealth of expertise. Thanks, Mike |
Phew! I "beat it into submission" ;)
LDAP was not the problem. I discovered that the UID for each failing userid was less than 500. /etc/pam.d/system-auth-ac introduced by authconfig-5.3.12-2.el5 implements this control. Changing /etc/pam.d/system-auth-ac to lower the value to, in my case, 100 corrects the login problem. Now, I wonder, what are the ramifications of having/allowing general-puurpose users with UIDs less than the distributed convention of 500? |
All times are GMT -5. The time now is 05:34 PM. |