00jlh

Q: 389 directory server  pam authentication

Hi Folks,

 

I've install 389 Directory Server on a Centos 7.0 server.   Over the last two days I've been trying to connect a MacBook

running 10.10.5 to the server as a client and I'm having only partial success.

 

I've "Joined" to my network Account Server, and set my LDAP Mappings to RFC2307. 

 

With these settings, I'm able to look at the "Directory Editor" (located within the Directory Utility) and see the postfix

groups and users I've  created on the 389-ds server, e.g.  RealName = Test User (so success!)

 

Similarly, when using the Mac OS  dscl command, and "cd-ing" int LDAPv3/FQDN_of_server/Users, I see the RecordName of the users (or the shortname uid; e.g. RecordName = testuser).   (success again!)

 

The command

 

             dscl     /LDAPv3/FQDN_of_server    -read     Users/testuser

 

appears to pull up the correct information for the user.   For example, that command pulls up the following user

information:

 

sh-3.2# dscl /LDAPv3/FQDN_of_server -read Users/testuser

dsAttrTypeNative:gecos:

Ethan Hawke; Test User

dsAttrTypeNative:givenName: Test

dsAttrTypeNative:mail: testuser@xxx.xxx.edu

dsAttrTypeNative:memberOf:

cn=group1,ou=Groups,dc=example,dc=edu

cn=group2,ou=Groups,dc=example,dc=edu

dsAttrTypeNative:objectClass: top person organizationalPerson

inetorgperson posixAccount inetuser

dsAttrTypeNative:sn: User

AppleMetaNodeLocation: /LDAPv3/FQDN_of_server

AppleMetaRecordName:

uid=testuser,ou=People,dc=example,dc=edu

NFSHomeDirectory: /home/testuser

PrimaryGroupID: 1100

RealName:   Test User

RecordName: testuser

RecordType: dsRecTypeStandard:Users

UniqueID: 2000

UserShell: /bin/tcsh

 

As root on the Mac system, I can "su" to an LDAP test user and create files.  The ownership and group

of the created files look correct.    For example:

 

sh-3.2# su - testuser

[macbook:~] testuser% touch testfile

[macbook:~] testuser% ls -l testfile

-rw-r-----  1 testuser  group1  0 Aug 22 14:47 testfile

 

 

However, I have an issue where I apparently can't ssh into the mac as testuser, login to the console, or "su" to an LDAP user from an unprivileged account.   NOTE:  I did verify that under "Users & Groups" I am allowing "all" network users to login at the login window.

 

The error I'm seeing in the system.log file when I try to ssh into the localhost as the test user is the following:

 

..... sshd<XXX>:  error: PAM: authentication error for testuser ....

 

I believe the problem is with the authorization, sshd, and login files in the /etc/pam.d directory of the mac, but

I've tried several changes to correct for the error, and nothing seems to work.

 

Has anyone else run across this issue?    any suggestions would be appreciated.

 

Thanks,

MacBook Air, OS X Yosemite (10.10.4)

Posted on Aug 22, 2016 1:54 PM

Close

Q: 389 directory server  pam authentication

  • All replies
  • Helpful answers