I am trying to get SLES 10 to authenticate users through RACF. I have read and tried the instructions in "Securing Linux for zSeries with a Central z/OS (RACF) LDAP Server", but without success. I am able to interactively use ldapsearch and get user information from RACF, but something is going on with the bind function and PAM. When attempting to bind using the information in /etc/ldap.conf, it's passing the credentials for the user logging, instead of the user defined in the ldap.conf file. I am only attempting to use /etc/pam.d/sshd and nothing else at this point.
Here's what I can offer up for config files so far: /etc/ldap.conf: host <ip address> port 9270 base c=odot binddn racfid=BNDUSR,profiletype=USER,c=DOT bindpw <clear text password> ldap_version 3 pam_login_attribute racfid /etc/pam.d/sshd: #%PAM-1.0 auth include common-auth auth required pam_nologin.so auth sufficient pam_ldap.so account include common-account account sufficient pam_ldap.so password include common-password password sufficient pam_ldap.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname When attempting to log in using SSH & password authentication, the following error appears in the /var/log/messages file: sshd[28103]: pam_ldap: error trying to bind as user "racfid=<userid>,profiletype=USER,c=DOT" (Invalid credentials) The UserID following the racfid= is NOT the account authorized to bind to RACF, but the UserID logging in through SSH. Seems to me this is where the process is breaking - it should be the binddn that would "bind as user". Thanks in advance, Dave ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
