For LDAP User Logon problems, please refer to the solution !!!

Source: Internet
Author: User
Tags openldap
For LDAP User Logon problems, please refer to the solution !!! -- Linux Enterprise Application-Linux server application information. For details, refer to the following section. Configuration environment:
Server: centos 5.6
Client: fedora 15

Problems:
You can use su user or su-user to log on to the client.
You can also use ldapsearch-x-LLL on the client to find ldap information.
However, you cannot log on through the logon method normally. For example, you can log on directly through the logon interface or SSH.



Server-side LDAP configuration: (unmodified and not posted)
Slapd. conf:
Database bdb
Suffix "dc = mwhdc, dc = com"
Rootdn "cn = Manager, dc = mwhdc, dc = com"
# Cleartext passwords, especially for the rootdn, shocould
# Be avoided. See slappasswd (8) and slapd. conf (5) for details.
# Use of strong authentication encouraged.
# Rootpw 123456
Rootpw {SSHA} Tdh3fwWO0X68E7H8Zwb4N + 9 bjMhNcBuK

Pam. d/system-auth:
# % PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Auth required pam_env.so
Auth sufficient pam_unix.so nullok try_first_pass
Auth requisite pam_succeed_if.so uid >=500 quiet
# Auth sufficient pam_ldap.so
Auth sufficient pam_ldap.so use_first_pass
Auth required pam_deny.so

Account required pam_unix.so broken_shadow
Account sufficient pam_succeed_if.so uid >=500 quiet
Account [default = bad success = OK user_unknown = ignore] pam_ldap.so
Account required pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry = 3
Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
Password sufficient pam_ldap.so use_authtok md5
Password required pam_deny.so

Session optional pam_keyinit.so revoke
Session required pam_limits.so
Session [success = OK default = ignore] pam_succeed_if.so service in crond quiet use_uid
Session required pam_unix.so
Session required pam_mkhomedir.so skel =/etc/skel/umask = 0022
Session optional pam_ldap.so

Nsswitch. conf
Passwd: files ldap
Shadow: files ldap
Group: files ldap

# Hosts: db files nisplus nis dns
Hosts: files dns

# Example-obey only what nisplus tells us...
# Services: nisplus [NOTFOUND = return] files
# Networks: nisplus [NOTFOUND = return] files
# Protocols: nisplus [NOTFOUND = return] files
# Rpc: nisplus [NOTFOUND = return] files
# Ethers: nisplus [NOTFOUND = return] files
# Netmasks: nisplus [NOTFOUND = return] files

Bootparams: nisplus [NOTFOUND = return] files

Ethers: files
Netmasks: files
Networks: files
Protocols: files
Rpc: files
Services: files

Netgroup: files ldap

Publickey: nisplus

Automount: files ldap
Aliases: files nisplus


Sysconfig/authconfig:
USEWINBINDAUTH = no
USEKERBEROS = no
USESYSNETAUTH = yes
USEPAMACCESS = no
USEMKHOMEDIR = yes
FORCESMARTCARD = no
USESMBAUTH = no
USESMARTCARD = no
USELDAPAUTH = yes
USEDB = no
USEWINBIND = no
USESHADOW = yes
PASSWDALGORITHM = md5
USEPASSWDQC = no
USELDAP = yes
USELOCAUTHORIZE = yes
USEHESIOD = no
USECRACKLIB = yes
USENIS = no

========================================================== ====

LDAP configuration on the client side: (unmodified and not posted)
Openldap/ldap. conf:
URI ldap: // 172.28.11.54/
BASE dc = mwhdc, dc = com
Pam_check_host_attr yes

TLS_CACERTDIR/etc/openldap/cacerts


Pam. d/system-auth:
# % PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Auth required pam_env.so
Auth sufficient pam_unix.so nullok try_first_pass
Auth requisite pam_succeed_if.so uid >=500 quiet
Auth sufficient pam_ldap.so use_first_pass
# Auth sufficient pam_sss.so use_first_pass
Auth required pam_deny.so

Account required pam_unix.so broken_shadow
Account sufficient pam_succeed_if.so uid <500 quiet
Account [default = bad success = OK user_unknown = ignore] pam_ldap.so
# Account [default = bad success = OK user_unknown = ignore] pam_sss.so
Account required pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry = 3
Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
Password sufficient pam_ldap.so use_authtok
# Password sufficient pam_sss.so use_authtok
Password required pam_deny.so

Session optional pam_keyinit.so revoke
Session required pam_limits.so
#-Session optional pam_systemd.so
Session optional pam_mkhomedir.so skel =/etc/skel/umask = 0022
Session [success = OK default = ignore] pam_succeed_if.so service in crond quiet use_uid
Session required pam_unix.so
Session optional pam_ldap.so
# Session optional pam_sss.so


Nsswitch. conf:
Passwd: files ldap
Shadow: files ldap
Group: files ldap

# Hosts: db files nisplus nis dns
Hosts: files dns

# Example-obey only what nisplus tells us...
# Services: nisplus [NOTFOUND = return] files
# Networks: nisplus [NOTFOUND = return] files
# Protocols: nisplus [NOTFOUND = return] files
# Rpc: nisplus [NOTFOUND = return] files
# Ethers: nisplus [NOTFOUND = return] files
# Netmasks: nisplus [NOTFOUND = return] files

Bootparams: nisplus [NOTFOUND = return] files

Ethers: files
Netmasks: files
Networks: files
Protocols: files
Rpc: files
Services: files

Netgroup: files ldap

Publickey: nisplus

Automount: files ldap
Aliases: files nisplus


Sysconfig/authconfig:
USEMKHOMEDIR = yes
USEPAMACCESS = no
CACHECREDENTIALS = yes
USESSSDAUTH = no
USESHADOW = yes
USEWINBIND = no
PASSWDALGORITHM = yes
FORCELEGACY = no
USEFPRINTD = no
USEHESIOD = no
FORCESMARTCARD = no
USEDB = no
USELDAPAUTH = yes
USELOCAUTHORIZE = yes
USEECRYPTFS = no
USECRACKLIB = yes
USEWINBINDAUTH = no
USESMARTCARD = no
USELDAP = yes
USENIS = no
USEKERBEROS = no
USESYSNETAUTH = yes
USESSSD = no
USEPASSWDQC = no



This is the main configuration. I don't know where the problem is! It's always depressing !!! I have consulted you! Please give me some advice ~~~!!
Thank you ~~~!!!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.