LDAP User could not access system

Gary L · ‎10-26-2007

Hi

We have two RedHat ES4U4 server, server2 is LDAP server, server1 use LDAP Brower Edit to access LDAP server and add/remove users.

But, currently, we met a problem: lots of LDAP users could not access server1.

1. I have tried to reset their password from LDAP sever via "lbe" on server1, but it doen't work.

2. I did the below command as root user, but got this error.
# su u367
su: incorrect password
correct users I could did # su comand

How to fix this kind of problem?
Any answers will be very appreciate

Gary L · ‎10-26-2007

Sorry, two RH ES3 update 4 server.

server1 has set use LDAP and LDAP server is server2.

Ivan Ferreira · ‎10-26-2007

what is the output of:

id u367
getent passwd |grep u367

Are these users in the same organizational unit?

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Gary L · ‎10-26-2007

Hi Ivan

Thank you very much for your fast reply, below are the output:

#id j367
uid=10367(j367) gid=100(users) groups=100(users)

# getent passwd |grep j367
j367t:x:20011:100::/home/j367t:/bin/ksh
j367:x:10367:100:j367:/home/j367:/bin/ksh

There users are in the same unit.

Ivan Ferreira · ‎10-26-2007

Can you please post what you receive when you do:

su - u367
ssh -l u367 localhost

Right after that:
tail /var/log/secure

Check the output of:

finger u367

Check the permissions of the users's home directory.

I would like to see the following files:

more /etc/pam.d/su
more /etc/pam.d/system-auth

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Gary L · ‎10-26-2007

Thanks Ivan

I could not show the output right now, because probably, my boss solved this problem. he just ran command "faillog -p / -r", all failure LDAP user worked.

I have no idea why

Could you please explain this?

Ivan Ferreira · ‎10-26-2007

The "faillog -r" maybe was the solution. This resets the failure count. Probably, the system has configure pam_tally, to deny the login if more than "N" authentication failures was intented. Resetting the login failure count will solve the problem.

You will see pam_tally relates messages to /var/log/messages denying the login.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Gary L · ‎10-26-2007

Thanks Ivan

Have a good weekend.

skt_skt · ‎10-30-2007

yes; failog fixed your problem

Following entry/file limits the account to be locked/disabled after five login failure.

# grep LOGIN_RETRIES /etc/login.defs
LOGIN_RETRIES 5

# pam_tally --user kumarts
User kumarts (19806) has 10

# faillog -r kumarts

# pam_tally --user kumarts
User kumarts (19806) has 0

Once it is reset to zero ; you would be able to login.

Gary L · ‎10-30-2007

Hi Santhosh

Thank you very much for your suggestions

Have a great day

-Gary

LDAP User could not access system

LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Re: LDAP User could not access system

Hewlett Packard Enterprise International