> Since you're using nss_ldap, if you use pam_unix it will find a password > entry for all of your users -- but it will fail to authenticate users that > are in LDAP, since AFAIK nss_ldap won't return the password field. I'm confused. You're saying pam_unix will find passwords, but won't authenticate? Should I be using pam_unix instead of pam_pwdb? I think I did that yesterday and I couldn't login at the console at all. > How do you have the PAM modules stacked in your /etc/pam.d/login file? #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_pwdb.so use_first_pass account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session sufficient /lib/security/pam_ldap.so session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so Kelli -----Original Message----- From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On Behalf Of Steve Langasek Sent: Thursday, September 14, 2000 10:00 AM To: pam-list@redhat.com Subject: RE: Telnet and PAM On Thu, 14 Sep 2000, Kelli Wolfe wrote: > I've got some more information/weirdness on my Telnet problem. > If I sit at the console, I can login with an LDAP only account > that has a clear text password. I cannot login with an LDAP > account that has an encrypted password. I also cannot login > with an account that is in both the LDAP and the passwd files. > I cannot telnet with any of the above accounts. I can ssh with > all of the accounts. How do you have the PAM modules stacked in your /etc/pam.d/login file? Since you're using nss_ldap, if you use pam_unix it will find a password entry for all of your users -- but it will fail to authenticate users that are in LDAP, since AFAIK nss_ldap won't return the password field. > It seems like I'm having a couple of problems with 'login'. > I am running RedHat 6.2, so from what I understand, telnet is > actually running login. Login doesn't seem to be recognizing > the {crypt} attribute on the password. And something is > causing remote telnet logins to immediately log back out. > Before I started adding LDAP to the authentication, telnet > worked just fine. Login should have no knowledge of the {crypt} attribute: this should all be handled inside pam_ldap. If pam_ldap handles this correctly for ssh, I don't understand why it wouldn't handle it correctly for login. Steve Langasek postmodern programmer > -----Original Message----- > From: pam-list-admin@redhat.com [mailto:pam-list-admin@redhat.com]On > Behalf Of Ben Collins > Sent: Wednesday, September 13, 2000 12:30 PM > To: pam-list@redhat.com > Subject: Re: Telnet and PAM > > > On Wed, Sep 13, 2000 at 09:04:10AM -0500, Kelli Wolfe wrote: > > Hello, > > > > I've seen in the archives where people are using Telnet > > and PAM together, how? I have OpenSSH authenticating > > against OpenLDAP with nss_ldap and pam_ldat, but every > > time I try to telnet to the machine I get the error: > > Connection closed by foreign host. It appears in the > > LDAP logs to authenticate properly, but then it just > > dies. > > Sounds like something is getting a segv. Could be login (do console logins > work?), or one of the *-ldap modules, or even PAM itself. > > -- > -----------=======-=-======-=========-----------=====------------=-=----- - > / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ > ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' > `---=========------=======-------------=-=-----=-===-======-------=--=---' > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
