https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138364#M8422 Vijay,<BR /><BR />I would like to help you now but I have got to leave for appointment, I have open my openldap doc and will try to futher help is I am able when I return.<BR /><BR />J-P<BR /><BR /> Mon, 08 Dec 2003 06:15:29 GMT Huc_1 2003-12-08T06:15:29Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138357#M8415 I am planning to authenticate my linux systems through Active directory. I have planned to use PAM_LDAP and NSS_LDAP. I thing i made good progress. I edited my /etc/pam.d/system-auth and /etc/ldap.conf<BR /><BR />I am using a Redhat Linux System 7.2.<BR /><BR />Here is my /etc/pam.d/system-auth<BR />#%PAM-1.0<BR /># This file is auto-generated.<BR /># User changes will be destroyed the next time authconfig is run.<BR />auth required /lib/security/pam_env.so<BR />auth sufficient /lib/security/pam_unix.so likeauth nullok<BR />auth sufficient /lib/security/pam_ldap.so use_first_pass<BR />auth required /lib/security/pam_deny.so<BR /><BR />account required /lib/security/pam_unix.so<BR />account required /lib/security/pam_ldap.so<BR /><BR />password required /lib/security/pam_cracklib.so retry=3 type=<BR />password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow<BR />password sufficient /lib/security/pam_ldap.so nullok use_authtok <BR />password required /lib/security/pam_deny.so<BR /><BR />session required /lib/security/pam_limits.so<BR />session required /lib/security/pam_unix.so<BR />session optional /lib/security/pam_ldap.so<BR /><BR /><BR />I got this error when i trying to login using an LDAP user account:<BR /><BR />Dec 8 14:48:19 ht68f5 login(pam_unix)[5241]: check pass; user unknown<BR />Dec 8 14:48:19 ht68f5 login(pam_unix)[5241]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= <BR />Dec 8 14:48:19 ht68f5 login[5241]: pam_ldap: ldap_search_s Referral<BR />Dec 8 14:48:21 ht68f5 login[5241]: FAILED LOGIN 1 FROM (null) FOR vij3347, Authentication failure<BR /><BR /><BR />Any idea?<BR /><BR />Thanks<BR />Vijay Mon, 08 Dec 2003 05:24:53 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138357#M8415 Vijaya Kumar_3 2003-12-08T05:24:53Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138358#M8416 Hi, Vijay<BR /><BR />Sorry, but, You did do a slapadd for vij3347 ?<BR />and this user is known .<BR /><BR /><BR />J-P Mon, 08 Dec 2003 05:36:27 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138358#M8416 Huc_1 2003-12-08T05:36:27Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138359#M8417 I for got to mention, i have NSS_LDAP installed. <BR /><BR />My /etc/nsswitch.conf says<BR />passwd: files ldap<BR />shadow: files ldap<BR />group: files ldap<BR />.....<BR /><BR />My /etc/ldap.conf is having LDAP configuration.<BR /><BR />Do u mean to say that my ID is not getting authenticated?<BR /><BR />Thanks<BR />Vijay Mon, 08 Dec 2003 05:39:10 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138359#M8417 Vijaya Kumar_3 2003-12-08T05:39:10Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138360#M8418 my exact question is <BR /><BR />Why my pam_ldap returns this error?<BR /><BR />Dec 8 16:10:54 ht68f5 login[982]: pam_ldap: ldap_search_s Referral<BR /><BR />Thanks<BR />Vijay Mon, 08 Dec 2003 05:42:31 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138360#M8418 Vijaya Kumar_3 2003-12-08T05:42:31Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138361#M8419 Dec 8 14:48:21 ht68f5 login[5241]: FAILED LOGIN 1 FROM (null) FOR vij3347<BR /><BR />No what I mean is there an entry for vij3347,<BR />is this seen ?<BR /><BR />and perhaps there are more messages in var/log<BR /><BR />like var/log/security ?<BR /><BR />J-P<BR /> Mon, 08 Dec 2003 05:49:37 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138361#M8419 Huc_1 2003-12-08T05:49:37Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138362#M8420 Thanks Huc for reminding me...<BR /><BR />i tried with /var/log/messages. there is one more file /var/log/secure.<BR /><BR />it says...<BR /><BR />Dec 8 16:13:48 ht68f5 login: pam_ldap: ldap_search_s Referral<BR />Dec 8 16:13:48 ht68f5 login: User not known to the underlying authentication module<BR />Dec 8 16:17:25 ht68f5 login: nss_ldap: could not search LDAP server - Referral<BR /><BR />I think i have check my ldap configurations... here is my ldap configuration, /etc/ldap.conf<BR /><BR /># Your LDAP server. Must be resolvable without using LDAP.<BR />host 10.168.145.10<BR />ldap_version 3<BR />base dc=doma.hex.local,dc=hex.local<BR />binddn vij3347@domainjp02.hex.local<BR />scope sub<BR />ssl no<BR />pam_filter objectclass=user<BR />pam_login_attribute sAMAccountName<BR />pam_password ad<BR /><BR />nss_base_passwd ou=users,ou=hex.local,dc=hex.local,dc=local?one<BR />nss_base_shadow ou=users,ou=hex.local,dc=hex.local,dc=local?one<BR />nss_base_group ou=group,ou=hex.local,dc=hex.local,dc=local?one<BR /><BR />#nss_map_objectclass posixAccount User<BR />#nss_map_attribute uid sAMAccountName<BR />#nss_map_attribute uniqueMember Member<BR />#nss_map_attribute userPassword msSFUPassword<BR />#nss_map_attribute homeDirectory msSFUHomeDirectory<BR />#nss_map_objectclass posixGroup Group<BR />#nss_map_attribute cn sAMAccountName<BR /><BR />I am able to ping the LDAP server.<BR />Even I am able to telnet <LDAP_IP> 389 .<BR /><BR />any clues,<BR /><BR />Thanks<BR />Vijay</LDAP_IP> Mon, 08 Dec 2003 05:57:37 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138362#M8420 Vijaya Kumar_3 2003-12-08T05:57:37Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138363#M8421 btw, i am having that account in my active directory.<BR /><BR />Thanks<BR />Vijay Mon, 08 Dec 2003 06:00:06 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138363#M8421 Vijaya Kumar_3 2003-12-08T06:00:06Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138364#M8422 Vijay,<BR /><BR />I would like to help you now but I have got to leave for appointment, I have open my openldap doc and will try to futher help is I am able when I return.<BR /><BR />J-P<BR /><BR /> Mon, 08 Dec 2003 06:15:29 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138364#M8422 Huc_1 2003-12-08T06:15:29Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138365#M8423 Vijay,<BR /><BR />Have you made any progres on this, or is this still a problem ?<BR /><BR />J-P<BR /> Tue, 09 Dec 2003 08:21:33 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138365#M8423 Huc_1 2003-12-09T08:21:33Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138366#M8424 Not yet...<BR /><BR />Can u help me? I installed OpenLDAP locally and trying to authenticate...<BR /><BR />So i think i will make some points. I would really appreciate your help.<BR /><BR />Thanks<BR />Vijay Tue, 09 Dec 2003 23:36:48 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138366#M8424 Vijaya Kumar_3 2003-12-09T23:36:48Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138367#M8425 In the my previous reply the doc I talked about is the following.<BR /><BR /><A href="http://www.openldap.org/doc/admin20/guide.html#A%20Quick-Start%20Guide" target="_blank">http://www.openldap.org/doc/admin20/guide.html#A%20Quick-Start%20Guide</A><BR /><BR />I am no expert in ldap ( but there is more in 2 heads then one ), just always hope to get around using it one day.<BR /><BR />Seem that the problem is identification by pam modules of the "string" it is passed...<BR />it get to that point so I suppose the network part is good ... <BR /><BR />one of the thing that I do when I have this kind of problems is <BR /><BR />modify /etc/syslog.conf with the following line to get all messages to screen<BR /><BR />*.* /dev/console<BR /><BR />You have to "# service syslogd restart " to get this active (make sure this does not disrupt your enviroment)<BR /><BR />I then invoke the command <BR /><BR />#xconsole &amp;<BR /><BR />from gui xterm login (su -) as root<BR /><BR />This open a window where all messages that go to /var/log/* are redirected.<BR /><BR />this allowes me to test and see messages/error in as they happen !<BR /><BR />I will read your reply this late afternoon, when I return..<BR /><BR />Hope this helps <BR /><BR />J-P Wed, 10 Dec 2003 03:56:56 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138367#M8425 Huc_1 2003-12-10T03:56:56Z https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138368#M8426 Good point.<BR /><BR />I tried with auth.* /dev/console before. I hope thats not enough.<BR /><BR />Let me try with *.* /dev/console and post the output.<BR /><BR />Thanks for your help<BR />Vijay Wed, 10 Dec 2003 06:06:01 GMT https://community.hpe.com/t5/operating-system-linux/linux-pam-and-active-directory-integration-issue/m-p/3138368#M8426 Vijaya Kumar_3 2003-12-10T06:06:01Z