lists.arthurdejong.org
RSS feed

Re: Authentication error using nss-pam-ldapd and openldap server

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Authentication error using nss-pam-ldapd and openldap server



On Sun, 2018-11-04 at 11:03 +0330, babak wrote:
> I am trying to configure OpenLdap authentication in centos 7. i have
> ldapserver already configured which is working and tested. but i get
> unexpected error when i try to login.

The logs show the user (passwd and shadow) lookups that you would
expect on login but no authentication attempt (authc lookups).

> password-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=2000000
> auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 
> 1000 quiet
> auth        [default=1 ignore=ignore success=ok] pam_localuser.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
> auth        required      /lib/security/pam_ldap.so use_first_pass debug
> auth        required      pam_deny.so

I suspect the error is in the above configuration but PAM stacks are
notoriously hard to read.

> Nov  4 10:27:38 minio sshd[2011]: pam_ldap(sshd:auth): failed to get 
> password: Authentication failure

This means that the pam_ldap module cannot get the password from the
PAM stack. Perhaps the use_first_pass option should be changed to
try_fist_pass.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/