Thank you very much for your reply. Could you please elaborate on which attribute mappings exactly are you referring to? I have tried adding these lines to my ldap.conf file, but without success: nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member pam_login_attribute sAMAccountName pam_filter objectclass=User Best regards, Kenneth On Tue, Jul 26, 2011 at 3:06 AM, <grove@xxxxxxxxxxx> wrote: > On Mon, 25 Jul 2011, Kenneth Holter wrote: > > > Are you mapping the shadowaccount Attribute along with Userpassword > Attribute? > > You must map both if you use shadow passwd entry like in RH or Solaris. > > > rachel > > > > > >> Hi all, >> >> >> I posted this question on the RHEL 5 mailing list, but didn't get any >> replies. Then I came across pam-list, and this may be a more >> appropriate place to post this question. This is the case: >> >> I'm working on setting up our RHEL servers to authenticate against >> Active Directory 2008. With my current setup, users can log in and >> most everything looks good. But one issue I'm having is that when the >> "User must change password at next logon" box on AD i checked, I'm >> denied access to the linux box. First, this is my setup: >> >> ###### /etc/ldap.conf ########## >> >> uri ldaps://ldap.example.com >> base dc=example,dc=com >> >> nss_map_attribute uniqueMember msSFU30PosixMember >> nss_map_attribute userPassword msSFU30Password >> >> pam_password_prohibit_message Your password could not be changed >> pam_password ad >> ssl on >> tls_checkpeer no >> >> bind_timelimit 120 >> idle_timelimit 3600 >> bind_policy soft >> nss_initgroups_ignoreusers >> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman >> >> binddn cn=serviceuser,ou=accounts,dc=example,dc=com >> bindpw secret >> >> TLS_REQCERT allow >> >> ###### /etc/pam.d/system-auth ########### >> #%PAM-1.0 >> # /etc/pam.d/system-auth >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> account required pam_access.so >> accessfile=/etc/security/access.custom.conf >> >> password requisite pam_cracklib.so try_first_pass retry=3 type= >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> session required pam_mkhomedir.so skel=/etc/skel umask=077 >> >> >> ####### /etc/nsswitch.conf #################### >> -- snip -- >> passwd: ldap compat >> shadow: ldap compat >> group: ldap compat >> -- snip -- >> >> >> So when I issue for example "ssh kenneth@server" to log into my RHEL >> server, this is what /var/log/secure tells me: >> >> ## output start ## >> 2011-07-22T13:37:21.140807+02:00 server sshd[11172]: >> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 >> tty=ssh ruser= rhost=server.example.com user=kenneth >> 2011-07-22T13:37:22.888911+02:00 server sshd[11172]: pam_ldap: error >> trying to bind as user "CN=kenneth,OU=Users,DC=example,DC=com" >> (Invalid credentials) >> 2011-07-22T13:37:24.694597+02:00 server sshd[11172]: Failed password >> for kenneth from 1.2.3.4 port 45352 ssh2 >> ## output end ## >> >> I've tried to google this issue, but haven't come across any >> information that have helped me resolve this issue. Does anyone here >> know what may be causing it? Any help will be greatly appreciated. >> >> >> Best regards, >> Kenneth Holter >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list >> > > -- > Rachel Polanskis Kingswood, Greater Western Sydney, > Australia > grove@xxxxxxxxxxx http://www.zeta.org.au/~grove/grove.html > "The perversity of the Universe tends towards a maximum." - Finagle's Law > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
