I just followed this guide on how to setup Ubuntu to authenticate with an Mac OS X 10.4 server. I followed the guide 100% and was left with the ability to see users by running
getent passwd and getent passwd (user)
Which would come up with all the right information about the user. My problem is that I want those users to be able to login through the login prompt, which isn't working. When I login as my local user though, I get the usual username and password prompt, but then I get an LDAP password prompt, where I can type in anything and still login successfully.
Any ideas on how to solve this? Thanks in advance!
Updates:
As mentioned below, I'm positive LDAP is setup correctly, since I can see all the LDAP users using getent passwd, but something else is going wrong since I cant use su, ssh, or gdm to login with these users.
Best Answer
the problem is that that guide is wrong, or at least sub-optimal.
/etc/pam.d/common-auth should have:
that says that either pam_unix or pam_ldap are sufficient to login, and any login failing both of those is denied. it tries local unix login first - which is extremely useful if your LDAP server is down or unreachable and you still need to login as a local user.
it also uses 'use_first_pass' rather than 'try_first_pass'...they are very similar except that it won't prompt for a password again if the first is wrong.
see the man pages for pam_unix and pam_ldap for more details.
BTW, adding the following to /etc/pam.d/common-session is very useful:
it allows you to use /etc/security/limits.conf and access.conf etc to have very fine control over which users are allowed to login (e.g. i limit ssh logins on my servers to members of the admins group), and also set resource limits (memory, maxlogins, nice priority, etc) for their login.