Re: SLES9 and pam_ldap (LDAP bind instead of search request)

Ralf,

I changed the /etc/pam.d/sshd file to look like this:

   #%PAM-1.0
   auth            sufficient      pam_ldap.so
   auth     required       pam_unix2.so    # set_secrpc
   auth     required       pam_nologin.so
   auth     required       pam_env.so
   #
   account         sufficient      pam_ldap.so
   account  required       pam_unix2.so
   account  required       pam_nologin.so
   #
   password        required        pam_ldap.so
   password required       pam_pwcheck.so
   password required       pam_unix2.so    use_first_pass use_authtok
   #
   session  required       pam_unix2.so    none # trace or debug
   session  required       pam_limits.so

and removed "pam_filter   objectclass=posixAccount".  Now I am getting err=49 (LDAP_INVALID_CREDENTIALS):

   [2007-12-05 15:25:45,562] conn=3635 fd=0 slot=0 connection from 145.2.132.126 to 10.0.42.17
   [2007-12-05 15:25:45,565] conn=3635 op=0 BIND dn="" method=0 version=3
   [2007-12-05 15:25:45,565] conn=3635 op=0 RESULT err=0 tag=0 nentries=0 etime=0
   [2007-12-05 15:25:45,605] conn=3635 op=1 SRCH base="ou=people,ou=intranet,dc=motorola,dc=com" scope=2 filter="(uid=xjc864)"
   [2007-12-05 15:25:45,658] conn=3635 op=1 RESULT err=0 tag=0 nentries=1 etime=52
   [2007-12-05 15:25:45,698] conn=3635 op=2 BIND dn="motguid=XJC864,ou=people,ou=intranet,dc=motorola,dc=com" method=0 version=3
   [2007-12-05 15:25:45,704] conn=3635 op=2 RESULT err=49 tag=0 nentries=0 etime=0
   [2007-12-05 15:25:45,744] conn=3635 op=3 BIND dn="" method=0 version=3
   [2007-12-05 15:25:45,745] conn=3635 op=3 RESULT err=0 tag=0 nentries=0 etime=0

But I cannot login at all now and have to put back "pam_filter  objectclass=posixAccount" to be able to login to my SLES9 server.  Can you shed any more light on this?  Do you think it has to do with the /etc/pam.d/sshd file?

Thanks,
BJP