# ldap auth gripe/issue - pam_unix errors (solved, i think)

## bunder

been using ldap auth for a while now, and i have a niggling problem that i want to get off my chest and hopefully maybe i can get a fix for it...

sample login:

 *Quote:*   

> May 23 08:50:52 shell sshd[13556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=lalala  user=joeschmoe
> 
> May 23 08:50:52 shell sshd[13554]: Accepted keyboard-interactive/pam for joeschmoe from lalala port 1062 ssh2
> 
> May 23 08:50:52 shell sshd[13559]: pam_unix(sshd:session): session opened for user joeschmoe by (uid=0)
> ...

 

any login logs a failure, then a success...  which makes grepping logs a nightmare, breaks logwatch and possibly other log parsing mechanisms...  is there a way to make ldap or pam work in such a way that a error gets logged properly?

thanks in advance

----------

## aceFruchtsaft

1) You can reorder the entries in /etc/pam.d/system-auth so pam_ldap is first and pam_unix second, i.e.:

```

auth            required        pam_env.so

auth            sufficient      pam_ldap.so try_first_pass

auth            sufficient      pam_unix.so use_first_pass likeauth nullok shadow

auth            required        pam_deny.so

```

This way you can avoid errors when logging in with a user account which is not present in /etc/passwd. Also, pam_ldap seems to have more options to suppress warnings for users which are not in the LDAP directory (ignore_unknown_user,  no_warn), but I've never tested those.

2) You can configure sshd to use PKI-based authentication instead of keyboard/interactive, which also avoids the pam_unix errors.

HTH

----------

## bunder

i've tried reordering both /etc/nsswitch.conf and /etc/pam.d/system-auth to do exactly what you said, and i either get locked out of the box or i get the same messages...  i'll look into it again when i have some time off work.  thanks for replying.   :Wink: 

cheers

----------

## aceFruchtsaft

Weird. I've tested the setup I suggested on my server with both traditional and LDAP users as well as PKI and password ssh logins and it works (without the error messages).

BTW, /etc/nsswitch.conf does not affect PAM at all but rather specifies from where various information is retrieved. You can have your system fetch user data from LDAP via nscd for apps like /bin/ls without even enabling pam_ldap (which may be useful in a Samba PDC + LDAP setting).

----------

## bunder

maybe its the options then...

```
#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    required     pam_access.so

account    sufficient   pam_ldap.so

account    required     pam_unix.so

account    sufficient   pam_localuser.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

password   sufficient   pam_unix.so try_first_pass nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_first_pass use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0066

session    required     pam_unix.so

session    optional     pam_ldap.so

```

i don't really know what i need and what i don't... i just followed the ldap auth guide a couple years ago and its been working ever since.   :Laughing: 

----------

## aceFruchtsaft

Mine looks like this

```

#%PAM-1.0

auth            required        pam_env.so

auth            sufficient      pam_ldap.so try_first_pass

auth            sufficient      pam_unix.so use_first_pass likeauth nullok shadow

auth            required        pam_deny.so

account         required        pam_unix.so

account         sufficient      pam_ldap.so use_first_pass

password        required        pam_cracklib.so retry=3 difok=2 minlen=7 dcredit=2 ocredit=2

password        sufficient      pam_unix.so try_first_pass nullok use_authtok shadow md5

password        sufficient      pam_ldap.so use_authtok

password        required        pam_deny.so

session         required        pam_limits.so

session         required        pam_unix.so

session         required        pam_mkhomedir.so skel=/etc/skel/ umask=0066

session         optional        pam_ldap.so

```

I don't know how your additional account stack entries affect the login process as it depends on /etc/security/access.conf.

Did you notice that the second line in the auth stack (either pam_unix.so or pam_ldap.so) has to contain try_first_pass (instead of use_first_pass!), otherwise you'll never be prompted for a password? That is, just switching the two lines will not be sufficient.

----------

## bunder

i like that one a lot better...  thanks   :Very Happy: 

----------

