you can't bind as a user that doesn't have a password
you don't have users until you have configured /etc/ldap.conf properly
1 - use 'system-config-authentication' and don't
edit /etc/pam.d/system-auth
uncheck Windows authentication and winbindd goes away
2 - edit /etc/ldap.conf to properly match your ldap setup, when you get
it
set up properly, the command 'getent passwd' will first list the
contents of /etc/passwd and then list whatever you have setup for
nss_base_passwd in /etc/ldap.conf
3 - you really need better understanding of LDAP...try a book
I'll recommend a really old one but really good for basic LDAP
knowledge...
LDAP System Administration by Gerald Carter
or
OpenLDAP v 2.3 (included with CentOS-5)
http://www.openldap.org/doc/admin23/
OpenLDAP v 2.2 (included with CentOS-4)
http://www.openldap.org/doc/admin22/
a hint here...you don't say whether you're using CentOS-4 or CentOS-5
man ldap.conf # refers to ldap.conf supplied by openldap - the file
located at /etc/openldap/ldap.conf and man 8 ldap.conf (CentOS-4 IIRC)
or man pam_ldap (CentOS-5) refers to /etc/ldap.conf (supplied as part of
padl's nss)
good luck
Craig
On Wed, 2007-09-19 at 18:19 -0400, Von Landfried wrote:> Hello,
>
> I am having a small issue with LDAP, and I hope someone here might be
> able to provide a few tips.
>
> I am unable to authenticate as user 'testuser' on server
'storage'
> and the following errors appear in /var/log/messages on server
'storage'
>
> Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user unknown
> Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1
> Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind
> as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid
> credentials)
>
> I am also unable to issue this command:
>
> # passwd testuser
> passwd: Unknown user name 'testuser'.
>
> but this command works fine:
>
> # finger testuser
> Login: testuser Name: Test User
> Directory: /home/testuser Shell: /bin/bash
> Never logged in.
> No mail.
> No Plan.
>
> The server 'storage' is the LDAP host server, and there are about 9
> other servers configured to use 'storage' to authenticate users.
All
> 9 of them allow 'testuser' to login and also for him to change his
> password.
>
> Issuing this command:
>
> # ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local'
> '(objectclass=*)'
>
>
> # extended LDIF
> #
> # LDAPv3
> # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # testuser, People, example.local
> dn: uid=testuser,ou=People,dc=example,dc=local
> uid: testuser
> cn: Sean Cook
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 547
> gidNumber: 500
> homeDirectory: /home/testuser
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> I think the issue might be with PAM, because comparing all files I
> can think of doesnt point me to any differences except /etc/pam.d/
> system-auth
>
> The LDAP server 'storage' has WINBIND turned on, as follows:
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth sufficient /lib/security/$ISA/pam_winbind.so
> use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> 100 quiet
> account [default=bad success=ok user_unknown=ignore] /lib/
> security/$ISA/pam_ldap.so
> account [default=bad success=ok user_unknown=ignore] /lib/
> security/$ISA/pam_winbind.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
>
> And the server 'phoenix' (which allows 'testuser' to login
fine) does
> not;
>
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> 100 quiet
> account [default=bad success=ok user_unknown=ignore] /lib/
> security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
>
> I tried disabling WINBIND but the issue still occurs even after
> restarting ldap and sshd.
>
> Please help!!
>
>