[Freeipa-users] wbinfo cannot pull Active Directory domain users
Alexander Bokovoy
abokovoy at redhat.com
Fri Jul 10 21:31:22 UTC 2015
On Fri, 10 Jul 2015, Angelo Pantano wrote:
>I still had it because I am in the middle of a PoC for a migration, the
>legacy used pam_ldap and if I just remove it not only the error does not go
>away, but in the secure logs you also see this new error:
>
>Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM unable to
>dlopen(/lib64/security/pam_ldap.so): /lib64/security/pam_ldap.so: cannot
>open shared object file: No such file or directory
>Jul 10 14:08:17 ip-10-237-186-172 sshd[7361]: PAM adding faulty module:
>/lib64/security/pam_ldap.so
You should just remove it from the PAM config files, not the
pam_ldap.so.
>From what I see, you broke default configuration and pam_ldap module
actually returns an error code that SSH interprets as a signal to deny
logon. You may, of course, spend time fighting this but I don't really
see a benefit.
If you need to authenticate/get identities from older LDAP server, just
configure a second domain in sssd.conf and use 'id_provider=ldap' there
to point to your LDAP server.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list