required pam_deny.so
tem que ser a última linha em cada seção.
Eu tenho uma nova configuração do ldap e estou tentando fazer o login, seja o diretório para a máquina ou remotamente por SSH.
Quando tento realmente fazer login, minha autenticação falha.
Se eu fizer login com um usuário local, (root), então eu sou bem sucedido. Uma vez que eu estou logado, não tenho problema em emitir um su user e mudar para esse usuário.
A execução de getent passwd retornará todos os usuários válidos.
Alguma ajuda?
Os registros mostram:
Apr 10 11:50:00 ldaptest login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=user
Apr 10 11:50:00 ldaptest login: pam_ldap: error trying to bind (No such object)
Apr 10 11:50:03 ldaptest login: FAILED LOGIN 1 FROM (null) FOR user, Authentication failure
Obrigado!
[root@ldaptest ~]# cat /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
sudoers: ldap
e
[root@ldaptest ~]# cat /etc/pam_ldap.conf
base dc=ops,dc=rm
rootbinddn cn=Directory Manager,dc=ops,dc=rm
uri ldaps://10.0.32.75
ssl no
TLS_REQCERT allow
tls_cacertdir /etc/openldap/cacerts
pam_password md5
suoders_base ou=Sudoers,dc=ops,dc=rm
e
[root@ldaptest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
e
[root@ldaptest ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so
E finalmente ....
[root@ldaptest ~]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
password sufficient pam_ldap.so use_authtok
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_ldap.so
required pam_deny.so
tem que ser a última linha em cada seção.