Jyotishmaan Ray wrote:
> Hi All Kerberos Experts,
>
> This is Jyotishmaan. I have migrated
> users to LDAP server in Linux platform. When i tested for ssh logon,
> for a test user- "ldapusr" i got the following error as shown below:-
>
> [root@authdns compcen]# ssh authdns.nits.ac.in -l ldapusr
> ldapusr@authdns.nits.ac.in's password:
> Permission denied, please try again.
> ldapusr@authdns.nits.ac.in's password:
> Permission denied, please try again.
> ldapusr@authdns.nits.ac.in's password:
> Permission denied (publickey,gssapi-with-mic,password).
> [root@authdns compcen]#
>
> Please
> let me know if i need to install KERBEROS or Heimdal librarries for
> allowing me to log on to the system, to be authenticated by the LDAP
> server.


There is a difference between authentication and authorization.

You said you wanted to use LDAP for authentication (and authorization).
You can use Kerberos for authentication and LDAP for authorization.
LDAP authentication uses the userPassword attribute. Kerberos does not
use it as a password.

But even with Kerberos for authentication and LDAP for authorization
the userPassword will be tested to see if it is locked: *LK*, and root
on the server must be able to access the userPasswrord attribute in LDAP.


If you want to get responses from the list, you need to give more information.

On the server:
sshd -p 2222 -ddd

Then on the client:
ssh -p 2222 -l ldapusr authdns.nits.ac.in

Send the output of these two traces,
the /etc/pam/pam.conf, or the /etc/pam.d/ssh*
the /etc/nsswitch.conf
the sshd_config
the ssh_config on the client.

And are you sure root can read the userPassword attribute in ldap?


>
> Kindly through lights on this issue, as i am not able to
> do!!
>
> Regards,
> Jyotishmaan
>
>
>
> With Thanks and Regards,
> Jyotishmaan Ray
> Moderator Of Paradise Groups
> http://yahoogroups.com/group/Spirituality-Paradise
>
> Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
> Please Join Immediately By Sending A Blank Mail @
> Spirituality-Paradise-subscribe@yahoogroups.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> __________________________________________________ __________________________________
> Be a better pen pal.
> Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444