I'm a bit stumped on this, but a few things you could do to humor
me/double check.
check for duplicate username/group names. both in the system files and
in ldap.
i've run into some dumbness with nscd recently (duplicate group names)
which caused all sorts of badness preventing logins. try stopping the
nscd daemon and trying to log in again
also make sure that nscd dosn't start before your ldap daemon
my pam ssh file looks more like
auth required pam_nologin.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so shadow use_first_pass
auth required pam_deny.so
my nsswitch file gives precidence to files over ldap.
the users you are trying to log in as have good ldap info i hope? home
directory, shell, uid, gid, all that good stuff? that maybe confusing
login to.
other than that i may have to throw in the towel (and i don't know if
there's an easy way to test pam modules)
g'luck
patrick
Matt Dunford wrote:
On Thu, Jun 23, 2005 at 12:43:09PM -0400, Patrick Flaherty wrote:
I've had it working for several months.
Can you log in via a console?
if so does your pam.d/ssh file use commonauth?
if not does your commonauth file use pam_ldap?
Hi Patrick,
Thank you for your reply. Yes, I include common-auth in pam.d/ssh.
Here are the two entries in the file:
auth sufficient pam_ldap.so debug
auth required pam_unix.so nullok_secure try_first_pass
(This works on debian's 386 port, fyi)
I've also found out that it also authenticates and then hanges when
doing things like `su - username` or `login username`. It looks like
the pam session just hangs. You can even see the user logged when
using `w`!
So I've still got this hunch that there's something up w/ pam, not
necessarily pam-ldap. Do you know of a way to test each pam module
individually?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
