Hi Dan,

Thanks for your info.
Now I have openldap server setup on host dc001, and I install nss-pam-ldapd-0.8.13-8.el7.x86_64 on client dc005.

And I configure system-auth/nsswitch.conf/nslcd.conf on dc005 as below:
 
# cat /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

nsswitch.conf was configured as below:

# egrep -v ^# /etc/nsswitch.conf


passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

nslcd.conf was configured as below:

# egrep -v ^# /etc/nslcd.conf

uri ldap://10.9.1.61:389
base dc=hosso,dc=cc
uid nslcd
gid ldap

ssl no
tls_cacertdir /etc/openldap/cacerts

and I have a user on ldap server as below:
dn: cn=luo.lu,ou=regular,dc=hosso,dc=cc
cn: luo.lu
displayname: luo.lu
employeenumber: 10138
employeetype: regular
gidnumber: 501
givenname: luo
homedirectory: /home/luo.lu
loginshell: /bin/bash
mail: luo.lu@hosso.cc
objectclass: inetOrgPerson
objectclass: posixAccount
sn: lu
uid: luo.lu
uidnumber: 10138
userpassword: test

when I try to login dc005 with user luo.lu from local, I get below log from /var/log/slapd/slapd.log on dc001.


Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH attr=uid uidNumber
Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular,dc=hosso,dc=cc)))"
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH attr=memberUid cn gidNumber member
Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed
Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SEARCH RESULT tag=101 err=0 nentries=0 text=


Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text=


when I ssh dc005 with root, then su to luo.lu(yes, it can be done) I get below log:


Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH attr=uid uidNumber
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular,dc=hosso,dc=cc)))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH attr=memberUid cn gidNumber member
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10138))"
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uidNumber) not indexed
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))"
Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid
Dec 22 15:26:13 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed
Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text=



Can you help take a look? Great thanks. it confused me for long time


2016-12-20 1:01 GMT+08:00 Dan White <dwhite@cafedemocracy.org>:
On 12/18/16 18:40 +0800, Frank Yu wrote:
I have setup a LDAP service on host A, and configure ldap client on host B.
when I tried to login host B with user which already added in LDAP server,
it report error even through I enter right passwd

shanzhi.yu@10.10.10.101's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
shanzhi.yu@10.10.10.101's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
shanzhi.yu@10.10.10.101's password:"

and, I can su to user shanzhi.yu on host B

[root@
​host B
~]# su shanzhi.yu
[shanzhi.yu@
​host B
root]$ cd
[shanzhi.yu@
​host B
~]$

There are too many missing variables to give you specific advice. General
trouble shooting steps would include:

1) Enable server side (ssh) debugging to glean additional insight into the
problem.

2) Verify your ssh server config has pam enabled (assuming you're using an
ldap based pam module).

3) And if you are depending on pam to perform authentication, verify your
pam config with pamtester. Consult your pam ldap module documentation as
pam tends to be one of the more complicated parts of this type of setup.




--
Regards
Frank Yu