Am Fre, den 26.03.2004 schrieb Izak Burger um 16:05:
> I'm no expert on Jsch, but it looks a LOT like your ldap setup has a
> problem. But I could be wrong. Does it work with other ssh clients?
yes, openssh and putty work excellent. login is no problem in
interactive mode. maybe there is the problem, since jsch does not send
the username/password in interactive mode, but with
> Usually when you setup pam_ldap, you don't make shadow available. this
> way, pam_unix will fail for ldap users (because you have no shadow
> entry) and it falls through to ldap (depending on how your ldap setup
> works, mine is setup to try pam_unix first). Or to be more specific,
> nsswitch.conf contains:
> passwd: files ldap
> group: files ldap
> shadow: files
> /etc/pam.d/ssh contains:
> auth required pam_nologin
> auth required pam_env.so
> auth sufficient pam_unix.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_deny.so
> password sufficient pam_unix.so
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
> session required pam_unix.so
> session optional pam_ldap.so
> session optional pam_motd.so # 
> session optional pam_mail.so standard noenv # 
> session required pam_limits.so
> Now when an ldap user logs in, you will not be able to get shadow info
> for the user (ldap isn't even consulted, only /etc/shadow is consulted).
> This makes pam_unix fail, but since pam_unix is not required (merely
> sufficient), it will tr
y pam_ldap, which should return PAM_SUCCESS and
> allow access.
> I think the error message you're reporting shows you that pam_unix
> correctly identifies that the user has no shadow entry, but the problem
> is probably with pam_ldap.
i am using the same setup, except that it is based on pam.d/system-auth.
> Just my 2 South African Cents...
Digitalkameras - Aktuelle Angebote unter ? 90, HIER KLICKEN!!
Über 1 Mio. Angebote zu günstigen Preisen! eBay - Jetzt besser kaufen!