Problems with User Authentication using PAM & LDAP

Nigel Wade nmw at ion.le.ac.uk
Wed Jun 9 08:21:54 UTC 2004


Bruno Tobias Stella wrote:
> Nigel Wade <nmw at ion.le.ac.uk> wrote:
> 
> 
>>fkroeger at iinet.net.au wrote:
>>
>>>Anyone had problems trying to connect via ssh to FC2 server setup for
>>>ldap & pam?
>>>
>>>When I ssh to FC2 it prompts for my password.  I enter the password setup
>>>on the ldap server (different server) - It responds with "Access denied"
>>>and prompts for my password again.  I enter it a second time & it starts
>>>up my ssh session.  This indicates that it is authenticating OK to the
>>>ldap server - but always on the second try.  When I enter my local
>>>password at the first prompt it lets me in.  So it appears that the first
>>>prompt is looking up the local password and the second try it is looking
>>>up the ldap entry.
>>>
>>>The pam.d/sshd file looks OK - it is referencing the system-auth file
>>>which is generated from the authconfig command. I have tried swapping
>>>around the order of files & ldap in the nsswitch.conf file but to no
>>>avail.
>>>
>>>Any ideas?
>>>
>>>Regards...  Fred Kroeger
>>>
>>>
>>
>>It could be that PAM isn't passing the password from the initial login
>>attempt to LDAP.
>>
>>What does the line for pam_ldap.so look like in system-auth?
>>
>>These are the relevent lines from my (working) FC1 system:
>>
>>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>>auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
>>
>>where use_first_pass tells PAM to use the password which was enterd for
>>pam_unix, rather than prompting for another one.
> 
> 
> 
> I'm with a similar problem, but when I ssh to FC2, the password is never accept. I
> note that 'su' don't work either. The user is accept but the password isn't.
> 
> I set my system-auth like Nigel Wade suggested, but the password wasn't accept.
> 
> 
> Any other idea ?
> 
> Thanks,
> 
> Bruno Stella
> 
> 
> 

I was emailed off-list by Fred Kroeger to say that he had changed 
use_first_pass to try_first_pass, and this worked in FC2.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555





More information about the fedora-list mailing list