Назад | Перейти на главную страницу

Ошибка входа в LDAP, но su для пользователей ldap работает

У меня новая настройка ldap, и я пытаюсь войти в систему либо из каталога на машине, либо удаленно через SSH.

Когда я пытаюсь войти в систему, моя аутентификация не выполняется.

Если я вхожу в систему с локальным пользователем (root), то мне это удается. Как только я вошел в систему, у меня нет проблем с выдачей su user и переключением на этого пользователя.

Запуск getent passwd вернет всех допустимых пользователей.

Любая помощь?

Журналы показывают:

Apr 10 11:50:00 ldaptest login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=user
Apr 10 11:50:00 ldaptest login: pam_ldap: error trying to bind (No such object)
Apr 10 11:50:03 ldaptest login: FAILED LOGIN 1 FROM (null) FOR user, Authentication failure

Спасибо!

[root@ldaptest ~]# cat /etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns  

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus
sudoers:    ldap

И

[root@ldaptest ~]# cat /etc/pam_ldap.conf 
base dc=ops,dc=rm
rootbinddn cn=Directory Manager,dc=ops,dc=rm
uri ldaps://10.0.32.75
ssl no
TLS_REQCERT allow 
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
suoders_base ou=Sudoers,dc=ops,dc=rm

И 

[root@ldaptest ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account        [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient       pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_ldap.so
 session        required      pam_mkhomedir.so skel=/etc/skel umask=0077

И

[root@ldaptest ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
auth        sufficient    pam_ldap.so use_first_pass

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
password    sufficient    pam_ldap.so use_authtok

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_ldap.so

И наконец....

[root@ldaptest ~]# cat /etc/pam.d/password-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
 auth       sufficient    pam_ldap.so use_first_pass

 account     required      pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     required      pam_permit.so
 account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so
 password    sufficient    pam_ldap.so use_authtok

 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session        optional      pam_mkhomedir.so skel=/etc/skel umask=0077
 session        optional      pam_ldap.so

required pam_deny.so должна быть последней строкой в ​​каждом разделе.