[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap problem

I'm a bit stumped on this, but a few things you could do to humor me/double check.
check for duplicate username/group names. both in the system files and in ldap.
i've run into some dumbness with nscd recently (duplicate group names) which caused all sorts of badness preventing logins. try stopping the nscd daemon and trying to log in again 

also make sure that nscd dosn't start before your ldap daemon

my pam ssh file looks more like
auth        required      pam_nologin.so
auth        sufficient    pam_ldap.so
auth        sufficient    pam_unix.so shadow use_first_pass
auth        required      pam_deny.so

my nsswitch file gives precidence to  files over ldap.
the users you are trying to log in as have good ldap info i hope? home directory, shell, uid, gid, all that good stuff? that maybe confusing login to.
other than that i may have to throw in the towel (and i don't know if there's an easy way to test pam modules) 

g'luck
patrick

Matt Dunford wrote:


On Thu, Jun 23, 2005 at 12:43:09PM -0400, Patrick Flaherty wrote:
I've had it working for several months. Can you log in via a console? 
if so does your pam.d/ssh file use commonauth?
if not does your commonauth file use pam_ldap?


Hi Patrick,

Thank you for your reply.  Yes, I include common-auth in pam.d/ssh.
Here are the two entries in the file:

auth	sufficient	pam_ldap.so debug
auth	required	pam_unix.so nullok_secure try_first_pass

(This works on debian's 386 port, fyi)

I've also found out that it also authenticates and then hanges when
doing things like `su - username` or `login username`.  It looks like
the pam session just hangs.  You can even see the user logged when
using `w`!

So I've still got this hunch that there's something up w/ pam, not
necessarily pam-ldap.  Do you know of a way to test each pam module
individually?
Reply to: