Thank you for you response, but I might not have been clear in my original email. All of the other servers (servers[1-9]) are working properly, i.e. the user 'testuser' is able to log in using the password I set, and is able to change the password using passwd, among other things of course. So because of this, I assume LDAP is working properly. My question is why can't 'testuser' log into the actual LDAP server? There must be some configuration difference, but I just can't find it. I obviously would not change /etc/pam.d/system-auth manually, I would use 'authconfig' to make any changes. I already turned off WINBIND and that did nothing to fix it. Unless something has to be restarted, (other than ldap, sshd) then this wasn't the cause. The /etc/ldap.conf is configured properly, on all machines, which is why I assume the user is able to log into the other 9 servers. These are CentOS 4.5 servers, so they are running openldap-2.2.13-7.4E Running 'getend passwd' (didn't know that command, thanks for that one) shows the user, so I assume the password is correctly setup (kinda already knew that since he can log into all other machines) I will keep trying, and will read through the documentation. On Sep 19, 2007, at 11:00 PM, Craig White wrote: > you can't bind as a user that doesn't have a password > > you don't have users until you have configured /etc/ldap.conf properly > > 1 - use 'system-config-authentication' and don't > edit /etc/pam.d/system-auth > uncheck Windows authentication and winbindd goes away > > 2 - edit /etc/ldap.conf to properly match your ldap setup, when you > get > it > set up properly, the command 'getent passwd' will first list the > contents of /etc/passwd and then list whatever you have setup for > nss_base_passwd in /etc/ldap.conf > > 3 - you really need better understanding of LDAP...try a book > > I'll recommend a really old one but really good for basic LDAP > knowledge... > LDAP System Administration by Gerald Carter > > or > > OpenLDAP v 2.3 (included with CentOS-5) > http://www.openldap.org/doc/admin23/ > > OpenLDAP v 2.2 (included with CentOS-4) > http://www.openldap.org/doc/admin22/ > > a hint here...you don't say whether you're using CentOS-4 or CentOS-5 > > man ldap.conf # refers to ldap.conf supplied by openldap - the file > located at /etc/openldap/ldap.conf and man 8 ldap.conf (CentOS-4 IIRC) > or man pam_ldap (CentOS-5) refers to /etc/ldap.conf (supplied as > part of > padl's nss) > > good luck > > Craig > > On Wed, 2007-09-19 at 18:19 -0400, Von Landfried wrote: >> Hello, >> >> I am having a small issue with LDAP, and I hope someone here might be >> able to provide a few tips. >> >> I am unable to authenticate as user 'testuser' on server 'storage' >> and the following errors appear in /var/log/messages on server >> 'storage' >> >> Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user >> unknown >> Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication >> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1 >> Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind >> as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid >> credentials) >> >> I am also unable to issue this command: >> >> # passwd testuser >> passwd: Unknown user name 'testuser'. >> >> but this command works fine: >> >> # finger testuser >> Login: testuser Name: Test User >> Directory: /home/testuser Shell: /bin/bash >> Never logged in. >> No mail. >> No Plan. >> >> The server 'storage' is the LDAP host server, and there are about 9 >> other servers configured to use 'storage' to authenticate users. All >> 9 of them allow 'testuser' to login and also for him to change his >> password. >> >> Issuing this command: >> >> # ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local' >> '(objectclass=*)' >> >> >> # extended LDIF >> # >> # LDAPv3 >> # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # testuser, People, example.local >> dn: uid=testuser,ou=People,dc=example,dc=local >> uid: testuser >> cn: Sean Cook >> objectClass: account >> objectClass: posixAccount >> objectClass: top >> objectClass: shadowAccount >> shadowMax: 99999 >> shadowWarning: 7 >> loginShell: /bin/bash >> uidNumber: 547 >> gidNumber: 500 >> homeDirectory: /home/testuser >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> I think the issue might be with PAM, because comparing all files I >> can think of doesnt point me to any differences except /etc/pam.d/ >> system-auth >> >> The LDAP server 'storage' has WINBIND turned on, as follows: >> >> auth required /lib/security/$ISA/pam_env.so >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth >> nullok >> auth sufficient /lib/security/$ISA/pam_ldap.so >> use_first_pass >> auth sufficient /lib/security/$ISA/pam_winbind.so >> use_first_pass >> auth required /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so >> broken_shadow >> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < >> 100 quiet >> account [default=bad success=ok user_unknown=ignore] /lib/ >> security/$ISA/pam_ldap.so >> account [default=bad success=ok user_unknown=ignore] /lib/ >> security/$ISA/pam_winbind.so >> account required /lib/security/$ISA/pam_permit.so >> >> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >> password sufficient /lib/security/$ISA/pam_unix.so nullok >> use_authtok md5 shadow >> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok >> password sufficient /lib/security/$ISA/pam_winbind.so >> use_authtok >> password required /lib/security/$ISA/pam_deny.so >> >> session required /lib/security/$ISA/pam_limits.so >> session required /lib/security/$ISA/pam_unix.so >> session optional /lib/security/$ISA/pam_ldap.so >> >> >> And the server 'phoenix' (which allows 'testuser' to login fine) does >> not; >> >> # User changes will be destroyed the next time authconfig is run. >> auth required /lib/security/$ISA/pam_env.so >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth >> nullok >> auth sufficient /lib/security/$ISA/pam_ldap.so >> use_first_pass >> auth required /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so >> broken_shadow >> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < >> 100 quiet >> account [default=bad success=ok user_unknown=ignore] /lib/ >> security/$ISA/pam_ldap.so >> account required /lib/security/$ISA/pam_permit.so >> >> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >> password sufficient /lib/security/$ISA/pam_unix.so nullok >> use_authtok md5 shadow >> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok >> password required /lib/security/$ISA/pam_deny.so >> >> session required /lib/security/$ISA/pam_limits.so >> session required /lib/security/$ISA/pam_unix.so >> session optional /lib/security/$ISA/pam_ldap.so >> >> >> I tried disabling WINBIND but the issue still occurs even after >> restarting ldap and sshd. >> >> Please help!! >> >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos