On 03/01/13 15:07 +0530, Meghanand Acharekar wrote:
I've LDAP production server running over last 1 years without any issues, I'm suddently getting password fail error while authenticating via pam_ldap.so its show following error message, I'm able to authenticate using ldap client utilities like ldapsearch, also via some java application,
On client side I got following error message in /var/log/secure
Failed password for [username] from xx.xx.xx.xx port 38473 ssh2 fatal: Access denied for user [username] by PAM account configuration
That error could indicate some other problem. From wikipedia (for Linux_PAM):
"Account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service."
Check that your libnss_ldap configuration is good, by running:
getent passwd <user>
and
getent shadow <user>
Verify that you don't have an expired account (see man shadow). Check that your name caching daemon (e.g. nscd) is running, if you're using it.
On LDAP server logs.
=> access_allowed: read access denied by auth(=xd) send_search_entry: conn 1711 access to attribute userPassword, value #0 not allowed
ACL configuration on LDAP server
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none access to attrs=shadowLastChange by self write by * read access to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read
pam_ldap (/etc/pam.d/system-auth) configuration - client side
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_ldap.so try_first_pass auth sufficient pam_unix.so nullok use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 debug minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
The strange thing is I haven't made any changes on server or client side since a long time.