[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssh authentication through openldap on RH9



Title: Message
I am in the process of implementing a single sign-on environment, based on LDAP.
I am using the openldap, pam and openssh, as distributed with red hat 9.
 
openldap 2.0.27-8
openssh 3.5p1-6
pam 0.75-48
 
LDAP is configured and running.  I have also defined host groups and not all users have access to all hosts.
Login authentication on the console works great, i.e., allows users with local accounts and those authorised to access the host to login and prevents those not members of the group to gain access.
 
When I try to get the same behaviour through ssh, I fail miserably and have not found an answer to what is going on.  I followed the directions in the LDAP System Administration book by Gerald Carter, plus extensive search on the web did not result in any working solutions.  I am hopping that someone on this list will be able to point me to the right direction.
 
Right now I am not use whether the problem exists on the LDAP side (I do not think so) or on the ssh (/etc/ssh/sshd_config)and pam (/etc/pam.d/sshd) side.  The latest version of the /etc/pam.d/sshd file I use is:
 
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so
I am sure there are people out there who have implemented this in their environments and I would greatly appreciate some help in getting it to work in my environment.
 
After this is done, I will attempt integration with samba, email (open exchange), and Windows (active directory).  Wish me luck!
 
Regards,
 
Demetrios
 
----------------------------------------------------
Demetrios Sapounas
Solutions Architect
Eastport Analytics
Phone: 703.351.5273
Email: ds@eastportanalytics.com
----------------------------------------------------