Re: [rhelv5-list] struggling with LDAP authentication

Mon, 14 May 2007 15:51:21 -0700

Is this a client or is this the LDAP server? Also, which LDAP server do you employ? 

Thanks,
--
Joshua M. Miller - RHCE,VCP


Craig White wrote:

My main server, I upgraded from RHEL 3 to RHEL 5 and I imported my LDAP
DSA to the upgraded server which is the main server for our network
including the LDAP master.

I want to use both local authentication and LDAP authentication as I
normally do but I am really struggling here.

in /etc/nsswitch:
passwd:     files ldap
shadow:     files ldap
group:      files ldap

which is normal

and 'getent passwd' command will return all my users & groups from
both /etc/passwd|group and LDAP and users can login to various services
from either LDAP or /etc/passwd

# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Mon May 14 11:24:12 2007 from xxx
[EMAIL PROTECTED] ~]# exit

that works well (root from /etc/passwd)

# ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
-sh-3.1$

that works well (craig is in LDAP not /etc/passwd)

But if I try to restart services whose user is in /etc/passwd such as
restarting LDAP, BIND (named), etc. the system hangs and hopefully times
out and it even prevents it from booting up unless I shut off LDAP
authentication on startup and set it after startup

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

HELP!



_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to