On Fri, 10 Jul 2015, Angelo Pantano wrote:
I still had it because I am in the middle of a PoC for a migration, the
legacy used pam_ldap and if I just remove it not only the error does not go
away, but in the secure logs you also see this new error:

Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to
dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot
open shared object file: No such file or directory
Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module:
/lib64/security/pam_ldap.so
You should just remove it from the PAM config files, not the
pam_ldap.so.

From what I see, you broke default configuration and pam_ldap module
actually returns an error code that SSH interprets as a signal to deny
logon. You may, of course, spend time fighting this but I don't really
see a benefit.

If you need to authenticate/get identities from older LDAP server, just
configure a second domain in sssd.conf and use 'id_provider=ldap' there
to point to your LDAP server.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to