Re: Authentication error using nss-pam-ldapd and openldap server
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Authentication error using nss-pam-ldapd and openldap server
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: babak <b.khazaie [at] mapfa.net>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Authentication error using nss-pam-ldapd and openldap server
- Date: Sun, 11 Nov 2018 16:04:48 +0100
On Sun, 2018-11-04 at 11:03 +0330, babak wrote:
> I am trying to configure OpenLdap authentication in centos 7. i have
> ldapserver already configured which is working and tested. but i get
> unexpected error when i try to login.
The logs show the user (passwd and shadow) lookups that you would
expect on login but no authentication attempt (authc lookups).
> password-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
> 1000 quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required /lib/security/pam_ldap.so use_first_pass debug
> auth required pam_deny.so
I suspect the error is in the above configuration but PAM stacks are
notoriously hard to read.
> Nov 4 10:27:38 minio sshd[2011]: pam_ldap(sshd:auth): failed to get
> password: Authentication failure
This means that the pam_ldap module cannot get the password from the
PAM stack. Perhaps the use_first_pass option should be changed to
try_fist_pass.
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
