LDAP Login fails, but su to ldap users works

centos6openldap

I have a new ldap setup and I am trying to login, either directory to the machine or remotely over SSH.

When I try to actually login, my authentication fails.

If I login with a local user, (root), than I succeed. Once I am logged in, I have no problem issuing su user and switching to that user.

Running getent passwd will return all of the valid users.

Any Help?

The logs show :

Apr 10 11:50:00 ldaptest login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=user
Apr 10 11:50:00 ldaptest login: pam_ldap: error trying to bind (No such object)
Apr 10 11:50:03 ldaptest login: FAILED LOGIN 1 FROM (null) FOR user, Authentication failure

Thanks!

[root@ldaptest ~]# cat /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns  

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
sudoers:    ldap

And

[root@ldaptest ~]# cat /etc/pam_ldap.conf 
base dc=ops,dc=rm
rootbinddn cn=Directory Manager,dc=ops,dc=rm
uri ldaps://10.0.32.75
ssl no
TLS_REQCERT allow 
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
suoders_base ou=Sudoers,dc=ops,dc=rm

And 

[root@ldaptest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account        [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient       pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_ldap.so
 session        required      pam_mkhomedir.so skel=/etc/skel umask=0077

And

[root@ldaptest ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        sufficient    pam_ldap.so use_first_pass

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
password    sufficient    pam_ldap.so use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_ldap.so

And Finally….

[root@ldaptest ~]# cat /etc/pam.d/password-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient    pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_mkhomedir.so skel=/etc/skel umask=0077
 session        optional      pam_ldap.so

Best Answer

required pam_deny.so has to be the last line in each section.

Related Topic