<will-bloggs-too>

I ran into a strange problem with LDAP authentication running on RHEL 5.2 x86_64. After doing some research I found out that there might be a bug in the nss_ldap libs. However, after updating my libs with the most recent I still ran into an issue where nothing after providing my AD credentials when authenticating in SSH and I still couldn’t log-in to the remote host. At this point, I’m annoyed by the fact that this is an issue. Tailing /var/log/secure would display the following:

Oct 13 11:32:46 REMOTEHOST sshd[2977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MYHOST  user=USER
Oct 13 11:32:47 REMOTEHOST sshd[2977]: pam_krb5[2977]: authentication succeeds for ‘user’ (user@domain)
Oct 13 11:32:47 REMOTEHOST sshd[2977]: Accepted password for wsani from 10.*.*.* port 63567 ssh2

So, my log-in is successful but I don’t see anything in my SSH session. After some more troubleshooting I came up with a simple solution. To resolve the issue, I modified the /etc/pam.d/system-auth and modified the following two lines:

auth        requisite     pam_succeed_if.so uid >= 500 quiet
account     sufficient    pam_succeed_if.so uid < 500 quiet

changed to:

auth        requisite     pam_succeed_if.so uid >= 100 quiet
account     sufficient    pam_succeed_if.so uid < 100 quiet

Evidently the latest RHEL (Fedora and CentOS) releases require UID 500 or above. I also added the following lines to my /etc/ldap.conf:

referrals no
bind_policy soft

By doing so I was able to log-in to the server remotely using my LDAP credentials. Hopefully this will be helpful to someone else using Active Directory authentication on an RHEL 5.2 host.