The code listing 4.2 contains entries which will not work properly with OpenSSH for authentication. Namely, the pam_ldap.so and pam_unix.so entries need to be flip-flopped. Reproducible: Always Steps to Reproduce: 1. Follow instructions in HOWTO 2. Attempt to log on with SSH 3. SSH fails Actual Results: Logins will fail with SSH, however su will know about the users as well as other utilities. Expected Results: Log in properly with ssh. Code listing needs to be changed to: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_ldap.so use_authtok password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 session optional /lib/security/pam_ldap.so Another important thing to note is, if /etc/ldap.conf has "rootbinddn" defined, it will also break SSH's authentication.
Is there a way to have both (ssh logins and su/other apps knowing of the user)?
I've added a note that, if ssh fails, you should interchange those two lines, but that you might find out that other tools like su will fail. This way we have both. A default that works for some reasons, and information on what to do if you don't want to.
su seems to work with the lines the way I indicated. I am guessing that order DOES matter in any pam.d file, however, I'm not sufficiently knowledgable about how it all works, I managed to fix it that way.
I found strange problems with normal login (not even with ssh). With the order 'as is' with the listing on the docs page, the normal login at console will fail the first password, but then when it goes back to the prompt and you type the same username in again, it logs in without a password. Switching the two auth lines fixes that behavior, but then su fails. I was able to fix by having the following in system-auth: auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok password sufficient /lib/security/pam_ldap.so use authtok password required /lib/security/pam_deny.so session required /lib/security/pam_mkhomedir.so skel/etc/skel/ umask=0 session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so It seems to work fine for all cases.
Thanks. I've updated the guide per your system-auth; the account facility should be okay with this.
