I gave a SHARE presentation about this very same topic. See 'Configuring LDAP on z/VM and Linux' at http://www.linuxvm.org/Present/index.html
I see a pam_login_attribute tag in the ldap.conf file that I used. Dave Keeton wrote:
I am trying to get SLES 10 to authenticate users through RACF. I have read and tried the instructions in "Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server", but without success. I am able to interactively use ldapsearch and get user information from RACF, but something is going on with the bind function and PAM. When attempting to bind using the information in /etc/ldap.conf, it's passing the credentials for the user logging, instead of the user defined in the ldap.conf file. I am only attempting to use /etc/pam.d/sshd and nothing else at this point. Here's what I can offer up for config files so far: /etc/ldap.conf: host <ip address> port 9270 base c=odot binddn racfid=BNDUSR,profiletype=USER,c=DOT bindpw <clear text password> ldap_version 3 pam_login_attribute racfid /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth auth required pam_nologin.so auth sufficient pam_ldap.so account include common-account account sufficient pam_ldap.so password include common-password password sufficient pam_ldap.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname When attempting to log in using SSH & password authentication, the following error appears in the /var/log/messages file: sshd[28103]: pam_ldap: error trying to bind as user "racfid=<userid>,profiletype=USER,c=DOT" (Invalid credentials) The UserID following the racfid= is NOT the account authorized to bind to RACF, but the UserID logging in through SSH. Seems to me this is where the process is breaking - it should be the binddn that would "bind as user". Thanks in advance, Dave ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
-- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2009 - Orlando, FL - May 15-19, 2009 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
