Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist

> Hello All,
>
> I am having a bit of an issue. I want to use pam_ldap for
> authentication and do not want to have a local user account that is
> the for each user that I want to authenticate via ldap. So for example
> if I have linux client A receive a login request from a user with the
> username of "user.2" via ssh I would expect PAM and pam_ldap to use
> the password which the user provided to bind to the ldap server. For
> some reason I have something out of order and if the user does not
> have a local account it is forwarding INCORRECT as the password to the
> ldap server. If I create the username "user.2" on the local system it
> will then forward the password provided by the user and the I am off
> and running. Any thoughts?
>
> #
> # TCPDUMP showing that the password for AUTH is incorrect
> # user.2 does not exist locally
> #
> 00000074  30 40 02 01 03 60 3b 02  01 03 04 27 75 69 64 3d
> 0@...`;. ...'uid=
> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
> user.2,o u=People
> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d
> ,dc=disa mcep,dc=
> 000000A4  63 6f 6d 80 0d 08 0a 0d  7f 49 4e 43 4f 52 52 45
> com..... .INCORRE
> 000000B4  43 54
>              CT
>
>
> #
> # TCPDUMP showing that the password for AUTH is correct
> # after /usr/sbin/adduser user.2
> #
> 00000074  30 37 02 01 03 60 32 02  01 03 04 27 75 69 64 3d     07...`2. ...'uid=
> 00000084  75 73 65 72 2e 32 2c 6f  75 3d 50 65 6f 70 6c 65
> user.2,o u=People
> 00000094  2c 64 63 3d 64 69 73 61  6d 63 65 70 2c 64 63 3d     ,dc=disa mcep,dc=
> 000000A4  63 6f 6d 80 04 74 65 73  74
>   com..test
>
>
> OS: CentOS 5.1
>
> #
> # /etc/pam.d/sshd
> #
> #%PAM-1.0
> auth         required         /lib/security/pam_nologin.so
> auth         sufficient         /lib/security/pam_ldap.so
> auth         required         /lib/security/pam_unix_auth.so try_first_pass
>
> account         sufficient         /lib/security/pam_ldap.so
> account         required         /lib/security/pam_unix_acct.so
>
> password         required         /lib/security/pam_cracklib.so
> password         sufficient         /lib/security/pam_ldap.so
> password         required         /lib/security/pam_pwdb.so use_first_pass
>
> session         required         /lib/security/pam_unix_session.so
>
> #
> # /etc/pam.d/system-auth
> #
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
>