Here is my config files if this helps: [root@blochee pam.d]# cat system-auth #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so [root@blochee /]# cat /etc/ldap.conf base dc=ee,dc=ucr,dc=edu uri ldaps://ldap.ee.ucr.edu/ ldap_version 3 scope sub timelimit 30 pam_filter objectclass=posixAccount pam_login_attribute uid nss_base_passwd ou=People,dc=ee,dc=ucr,dc=edu?one nss_base_shadow ou=People,dc=ee,dc=ucr,dc=edu?one nss_base_group ou=Group,dc=ee,dc=ucr,dc=edu?one nss_base_netgroup ou=Netgroup,dc=ee,dc=ucr,dc=edu?one ssl on tls_cacertdir /etc/ssl/certs tls_cacert /etc/ssl/certs/eeca.pem tls_reqcert allow [root@blochee /]# [root@blochee /]# cat /etc/nsswitch.conf #ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $ # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap # consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: files dns # LDAP is nominally authoritative for the following maps. services: files networks: files protocols: files rpc: files ethers: files # no support for netmasks, bootparams, publickey yet. netmasks: files bootparams: files publickey: files automount: files # I'm pretty sure nsswitch.conf is consulted directly by sendmail, # here, so we can't do much here. Instead, use bbense's LDAP # rules ofr sendmail. aliases: files sendmailvars: files # No one has written the LDAP support for netgroups yet, so we'll # have to stick with NIS. netgroup: ldap [root@blochee /]# Thanks again. ----- Original Message ----- From: "Rigler, Steve" <SRigler@xxxxxxxxxxxxxxx> To: "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> Sent: Thursday, July 01, 2004 5:36 PM Subject: RE: Cant authenticate to LDAP domain with Redhat9 Try running "authconfig" and set up your LDAP configuration that way. -Steve -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx on behalf of Steven D. Haughton Sent: Thu 7/1/2004 5:56 PM To: redhat-list@xxxxxxxxxx Subject: Cant authenticate to LDAP domain with Redhat9 Hi, I'm new to ldap and fairly new to linux as well so bare with me..... I've recently installed Red Hat 9 over Gentoo due to some commerical software support. My problem is that I can not get Red Hat to authenticate to the ldap domain. Here is the current ldap software I have installed: [root@hostname root]# rpm -qa | grep ldap openldap-2.0.27-8 openldap-clients-2.0.27-8 nss_ldap-202-5 openldap-devel-2.0.27-8 openldap-servers-2.0.27-8 php-ldap-4.2.2-17.2 Here is current openssl: [root@hostname root]# rpm -qa | grep openssl openssl-0.9.7a-20.2 openssl-perl-0.9.7a-20.2 openssl096b-0.9.6b-15 openssl-devel-0.9.7a-20.2 openssl096-0.9.6-25.9 I also have autofs installed and running. I have copied the exact files for /etc/ldap.conf, /etc/nsswitch.conf, /etc/pam.d/system_auth, and /etc/ssl/certs/eeca.pem, and /etc/autofs/auto.master which work on other linux computers (Mainly Gentoo.... and 2 redhat9 computers). I also copied ldap.conf into /etc/openldap/ldap.conf and copied /etc/autofs/auto.master to /etc/auto.master. So my config files must be correct if they work on other computers... Leaving me to believe that there must be extra config files on Redhat that I must setup. I took out the hostname and domain names in the following test. Test: [root@"hostname" root]# ssh -ltestuser "hostname" testuser@"hostname's" password: Permission denied, please try again. Log file: sshd(pam_unix)[14275]: check pass; user unknown sshd(pam_unix)[14275]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu sshd(pam_unix)[14275]: check pass; user unknown sshd(pam_unix)[14275]: 1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost="hostname"."**"."***".edu Any Ideas on how to resolve this issue? Thanks. Also here is some more info on the problem. When I run ldapsearch i get this... [root@blochEE root]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm version: 2 # # filter: uid=grad-adm # requesting: ALL # # grad-adm, People, ee, ucr, edu dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu uid: grad-adm cn: Graduate Affairs sn: Affairs mail: grad-adm@xxxxxxxxxx <mailto:grad-adm@xxxxxxxxxx> labeledURI: http://www.ee.ucr.edu/~grad-adm <http://www.ee.ucr.edu/%7Egrad-adm> objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 30501 gidNumber: 402 homeDirectory: /home/eemisc/grad-adm gecos: Graduate Affairs # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@blochEE root]# And when I get this running getent: [root@blochEE root]# getent passwd grad-adm grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash [root@blochEE root]# From my understandings it looks like the client can communicate ok with the server, so I am at a loss as to why I can not login using users on the ldap server? If you need any more info. please let me know and I'll be happy to provide it. Any responses will be most appreciated. Thank you. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
