Authenticating via LDAP to Active Directory

[Jim Canfield]

Davis, Jared Scott wrote:
> I’m trying to set up our server to connect to our campus Active Directory to authenticate users via LDAP.  Basically we need only certain authorized users to be able to log in -- via the physical machine, ssh, or VPN using their university ID/password in Active Directory.  
>
>  
>
> - ran authconfig, selected all relevant options, and entered ldap server and base dn
>
> - required certificates in /etc/openldap/cacerts/
>
> - /etc/openldap/ldap.conf (slink with /etc/ldap.conf) set up according to one of the network guys - and if we do an ldapsearch we receive info, so I believe it’s working ok
>
> - /etc/ssh/sshd_config has “UsePam yes”
>
>  
>
> However, when I try to SSH in, I get a password authentication error.
>
>  
>
> I think the problem resides in the /etc/pam.d/sshd file…I copied the /etc/pam.d/samba to /etc/pam.d/sshd because Samba works fine and seems to authenticate via LDAP ok.
>
>  
>
> Has anyone else had any luck with this?  It’s been a headache!
>
>  
>
>   
What does /var/log/messages say? My guess is you might be missing 
something in /etc/pam.d/system-auth. You may have to add this line (or 
something similar) in the account section:

account [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_krb5.so

I'm just guessing though. : )

Just a note: I'm not a big fan of *playing* with the system-auth file - 
be careful.

Jim

-- 
Jim Canfield, CISSP
Tulsa Spine and Specialty Hospital