Hi Dan, Thanks for your info. Now I have openldap server setup on host dc001, and I install nss-pam-ldapd-0.8.13-8.el7.x86_64 on client dc005.
And I configure system-auth/nsswitch.conf/nslcd.conf on dc005 as below: *# cat /etc/pam.d/system-auth* #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so *nsswitch.conf was configured as below:* # egrep -v ^# /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases: files nisplus *nslcd.conf was configured as below:* # egrep -v ^# /etc/nslcd.conf uri ldap://10.9.1.61:389 base dc=hosso,dc=cc uid nslcd gid ldap ssl no tls_cacertdir /etc/openldap/cacerts and I have a user on ldap server as below: dn: cn=luo.lu,ou=regular,dc=hosso,dc=cc cn: luo.lu displayname: luo.lu employeenumber: 10138 employeetype: regular gidnumber: 501 givenname: luo homedirectory: /home/luo.lu loginshell: /bin/bash mail: [email protected] objectclass: inetOrgPerson objectclass: posixAccount sn: lu uid: luo.lu uidnumber: 10138 userpassword: test when I try to login dc005 with user luo.lu from local, I get below log from /var/log/slapd/slapd.log on dc001. Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH attr=uid uidNumber Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu ,ou=regular,dc=hosso,dc=cc)))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= when I ssh dc005 with root, then su to luo.lu(yes, it can be done) I get below log: Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH attr=uid uidNumber Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu ,ou=regular,dc=hosso,dc=cc)))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10138))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uidNumber) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:13 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text= Can you help take a look? Great thanks. it confused me for long time 2016-12-20 1:01 GMT+08:00 Dan White <[email protected]>: > On 12/18/16 18:40 +0800, Frank Yu wrote: > >> I have setup a LDAP service on host A, and configure ldap client on host >> B. >> when I tried to login host B with user which already added in LDAP server, >> it report error even through I enter right passwd >> >> [email protected]'s password: >> debug3: send packet: type 50 >> debug2: we sent a password packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> Permission denied, please try again. >> [email protected]'s password: >> debug3: send packet: type 50 >> debug2: we sent a password packet, wait for reply >> debug3: receive packet: type 51 >> debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic,password >> Permission denied, please try again. >> [email protected]'s password:" >> >> and, I can su to user shanzhi.yu on host B >> >> [root@ >> host B >> ~]# su shanzhi.yu >> [shanzhi.yu@ >> host B >> root]$ cd >> [shanzhi.yu@ >> host B >> ~]$ >> > > There are too many missing variables to give you specific advice. General > trouble shooting steps would include: > > 1) Enable server side (ssh) debugging to glean additional insight into the > problem. > > 2) Verify your ssh server config has pam enabled (assuming you're using an > ldap based pam module). > > 3) And if you are depending on pam to perform authentication, verify your > pam config with pamtester. Consult your pam ldap module documentation as > pam tends to be one of the more complicated parts of this type of setup. > > -- Regards Frank Yu
