[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP & PAM on Redhat 8 Problem



I'm working on setting up OpenLDAP on a Redhat 8.0 server. I'm attempting to authenticate logins to a Redhat 8 client using pam_ldap. I've followed all the documentation and tutorials I can find, and everything works, except the login. I can use ldapsearch on the server & client. I'm able to obtain userPassword this way if I bind as a user allowed by my ACL to read that field. Here is the error my client generates when I attempt to log in:

Feb 5 02:30:25 thebit login(pam_unix)[9065]: check pass; user unknown
Feb 5 02:30:25 thebit login(pam_unix)[9065]: authentication failure; logname=LO
GIN uid=0 euid=0 tty=tty1 ruser= rhost=
Feb 5 02:30:28 thebit login[9065]: FAILED LOGIN 1 FROM (null) FOR testuser3, Au
thentication failure


testuser3 is in my LDAP database, the password I use has been thrice checked. Here is the log on my LDAP server when this happens:

Feb 5 03:01:35 isaev slapd[9043]: daemon: conn=2 fd=10 connection from IP=10.1.
1.49:33378 (IP=0.0.0.0:636) accepted.
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 BIND dn="CN=PROXYUSER,DC=KADREVIS,DC=COM" method=128
Feb 5 03:01:35 isaev slapd[9152]: conn=2 op=0 RESULT tag=97 err=0 text=
Feb 5 03:01:35 isaev slapd[9151]: conn=2 op=1 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9151]: conn=2 op=1 SEARCH RESULT tag=101 err=0 text=


Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:36 isaev slapd[9152]: conn=2 op=2 SEARCH RESULT tag=101 err=0 text=


Feb 5 03:01:38 isaev slapd[9151]: conn=2 op=3 SRCH base="ou=People,dc=kadrevis,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=testuser3))"
Feb 5 03:01:39 isaev slapd[9151]: conn=2 op=3 SEARCH RESULT tag=101 err=0 text=


My current theory is that something about the way pam_unix operates on Redhat 8 is different than the rest of the Linux world. I've edited /etc/pam.d/system-auth to look like all the examples I've seen.

I can send out my config files to anyone willing to help.

Thanks, pablos.
pablos@kadrevis.com