Installing and configuring OpenSSH with pam_ldap for RedHat Enterprise Linux3

 

 (See also related documents at http://web.singnet.com.sg/~garyttt/ )

 

Last Updated: 26-Aug-2006

 

Purpose:

 

The document is one of the deliverables of the ※OpenLDAP Centralized Authentication Project§, the reader may also refer to its sister documents titled ※Installing and configuring OpenLDAP for RedHat Enterprise Linux3§

 

This document describes the steps involved in installing and configuring an OpenSSH Server, which is also an OpenLDAP Client, with pam_ldap support on RedHat Enterprise Linux3. This is to be accessed by Windows/UNIX/Linux OpenSSH clients.

 

Another related document "Deploying OpenLDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of OpenLDAP Client.

 

NOTE: All the steps here are also applicable to RedHat Fedora Core1/2 and RedHat Linux9, as well as RHEL4/RHFC3.

 

Useful URLs:

       SUN*s ※System Administration Guide: Security Services - May 2002§ (could be found at http://docs.sun.com)

       OpenSSH: http://www.openssh.org/

       OpenSSH LPK (LDAP Public Key) patch: http://www.opendarwin.org/en/projects/openssh-lpk

       OpenSSL: http://www.openssl.org//

       PAM: http://www.kernel.org/pub/linux/libs/pam/

       PAM_LDAP and NSS_LDAP: http://www.padl.com/

 

Example used:

       NSS_LDAP and PAM_LDAP library path: /lib and /lib/security respectively

       OpenSSL install directory = /usr

       OpenLDAP  install directory = /usr

 

Observed Issues:

       PuTTY SSH Protocol 1 Client DOES NOT WORK

       "su 每 uid" ※incorrect password§ despite correct password entry, I have found a fix, see ※Tips§ under Step 7, this ※tips§ is not required on RHEL4/RHFC3 Client.

 

Step 1: Install nss_ldap 2.X.X and pam_ldap 1.X.X

 

This step is OPTIONAL and could be skipped if you intend to use the existing nss_ldap and pam_ldap libraries already come with RHEL3.

 

IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.

 

For RedHat Linux systems, whenever "su 每 user" or "su 每 root" issue occurs, and you don't intend to continue troubleshooting, at these LOCAL or REMOTE root sessions, issue the command "authconfig§ and restore back the original RedHat Linux Authentication scheme (it will generate the original /etc/pam.d/system-auth file, press Ctrl-C if the screen appears freezed).

 

Log in as &root* at the console of LDAP Client.

 

IMPORTANT NOTE: You must configure/install OpenLDAP prior to nss_ldap, if not the "configure" command shown below will complain about "LDAP Library not found" as the type of LDAP is defined as "openldap".

 

Build nss_ldap from source:

 

# cd /var/tmp

# tar xvf nss_ldap.tar

# cd nss_ldap-2XX

# ./configure --libdir=/lib --with-ldap-lib=openldap --with-ldap-dir=/usr --with-ldap-conf-file=/etc/ldap.conf --with-ldap-secret-file=/etc/ldap.secret

# make clean

# make

# make install

 

IMPORTANT NOTE: You must configure/install nss_ldap prior to pam_ldap as it will populate /usr/local/include with header files that pam_ldap requires, depending on which version of LDAP you are using, example: ldap.h, this file is LDAP version dependant, this will avoid pam_ldap "configure" error "could not locate <ldap.h>".

 

Build pam_ldap from source, use EXACTLY the same configuration options:

 

# cd /var/tmp

# tar xvf pam_ldap.tar

# cd pam_ldap-1XX

# ./configure --libdir=/lib --with-ldap-lib=openldap --with-ldap-dir=/usr --with-ldap-conf-file=/etc/ldap.conf --with-ldap-secret-file=/etc/ldap.secret

# make clean

# make

# make install

 

 

Step 2: Install OpenSSL 0.9.7e

 

Skip this step if it is already installed as shared libraries objects.

 

# cd /var/tmp

# tar xvf openssl-0.9.7e.tar

# cd openssl-0.9.7e

# ./config shared --prefix=/usr

# make clean

# make

# make install

 

Additional steps shown below are required to rename and hide openssl-0.9.7a original files (due to the fact that RedHat stores libssl and libcrypto shared object files at odd location, i.e. /lib).

 

# cd /lib

# mv -f libssl.so.4 libssl.so.4.orig

# ln -s /usr/lib/libssl.so.0.9.7 libssl.so.4

# mv -f libcrypto.so.4 libcrypto.so.4.orig

# ln -s /usr/lib/libcrypto.so.0.9.7 libcrypto.so.4

 

Verify the OpenSSL version

 

# /usr/bin/openssl

OpenSSL> version

OpenSSL 0.9.7e DD MMM YYYY

OpenSSL> exit

 

Step 3: Configure and install OpenSSH Server

 

Prior to doing anything, backup the SUN SSH Server original configuration files and host keys.

 

# mkdir 每p /etc/ssh.orig

# cp /etc/ssh/* /etc/ssh.orig

 

Now configure OpenSSH with support for PAM and OpenSSL

 

NOTE: RedHat OpenSSH usually stores host keys in /etc/ssh

 

# cd /var/tmp

# tar xvf openssh-3.X.XpX.tar

# cd openssh-3.X.XpX

# ./configure --prefix=/usr --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr

 

Compile and install it

 

# make clean

# make

# make install

 

(IMPORTANT Note: having --sysconfdir=/etc/ssh will preserve OpenSSH original /etc/ssh/ssh_config and /etc/ssh/sshd_config as well as host keys, but as the original sshd_config file MAY NOT include NEW settings, you MAY overwrite sshd_config with a sample from OpenSSH distribution, with references to original settings)

 

Step 4: Create start/stop scripts

 

Create /etc/init.d/openssh.server, this step is OPTIONAL as you may use RedHat's /etc/init.d/sshd script

 

# touch /etc/init.d/openssh.server; chmod 744 /etc/init.d/openssh.server

 

Content of /etc/init.d/openssh.server

 

#! /bin/sh

case $1 in

'start')

        /usr/sbin/sshd

        ;;

'stop')

        PID=`cat /var/run/sshd.pid`

        if [ -n "$PID" ]

        then

                /usr/bin/kill -9 $PID

        fi

        ;;

*)

        echo "usage: /etc/init.d/sshd {start|stop}"

        ;;

esac

 

Copy (Overwrite) sample sshd_config and ssh_config from OpenSSH

 

# cp /var/tmp/openssh-3.X.XpX/sshd_config /etc/ssh

# cp /var/tmp/openssh-3.X.XpX/ssh_config /etc/ssh

 

Edit /etc/ssh/sshd_config, enable PasswordAuthentication, enable ChallengeResponseAuthentication, enable PAM and verify path for sftp-server does exist

 

# vi /etc/ssh/sshd_config

 

PasswordAuthentication yes

ChallengeResponseAuthentication yes

UsePAM yes

Subsystem       sftp    /usr/libexec/sftp-server

 

Note: in older version (pre-3.6.1) of OpenSSH Server, instead of  ※UsePAM yes§, the parameter is:

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt yes

 

Create privilege separation user id as per OpenSSH requirement

 

# mkdir 每p /var/empty; chmod 755 /var/empty

# groupadd -g 999 sshd

# useradd -u 999 -g 999 每c ※sshd privilege separation§  -d /var/empty -s /bin/false sshd

 

Optionally, for any reason if there is a need to re-create the host keys for sshd, you may perform:

 

/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""

/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""

/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""

 

Optionally, you may want to fine tune OpenSSH server for it to be more secure, i.e. use only Protocol 2, disable default PermitRootLogin, enable X11Forwarding, and so on#below is an example:

 

# sed -e 's/#Protocol 2,1/Protocol 2/' \

   -e 's/#PermitRootLogin yes/PermitRootLogin no/' \

   -e 's/#X11Forwarding no/X11Forwarding yes/' \

   -e 's/#PrintMotd yes/PrintMotd no/' \

   /etc/ssh/sshd_config > /etc/ssh/sshd_config_new

# mv /etc/ssh/sshd_config_new /etc/ssh/sshd_config

 

That*s all, kill existing SSH Server and re-start OpenSSH Server

 

# /etc/init.d/sshd stop; /etc/init.d/openssh.server start

 

OR use the RedHat's way:

 

# service sshd restart

 

Step 5: Create ldap.conf for BOTH pam_ldap and OpenLDAP

 

There are two ldap.conf files, one for pam_ldap, which is usually named /etc/ldap.conf, another for OpenLDAP client, which is usually named /etc/openldap/ldap.conf:

 

Create these two files.

 

Content of /etc/ldap.conf, those in green are required entries.

 

# List two or more LDAP servers if failover is required

host ldap1.example.com ldap2.example.com

# ※host§ directive may be deprecated in future releases,

# you may wish to use &uri* directive to replace ※host§ directive

# uri ldap://ldap1.example.com ldap://ldap2.example.com

base dc=example,dc=com

ldap_version 3

binddn cn=proxyagent,ou=profile,dc=example,dc=com

bindpw password

# The distinguished name to bind to the server with

# if the effective user ID is root. Password is

# stored in /etc/ldap.secret (mode 600)

rootbinddn cn=Manager,dc=example,dc=com

port 389

# The search scope.

#scope sub

#scope one

#scope base

# Search timelimit

#timelimit 30

# Bind timelimit

#bind_timelimit 30

# Idle timelimit; client will close connections

# (nss_ldap only) if the server has not been contacted

# for the number of seconds specified below.

#idle_timelimit 3600

 

# Filter to AND with uid=%s

#pam_filter objectclass=account

pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)

pam_login_attribute uid

 

# Search the root DSE for the password policy (works

# with Netscape Directory Server)

#pam_lookup_policy yes

 

# Check the 'host' attribute for access control

# Default is no; if set to yes, and user has no

# value for the host attribute, and pam_ldap is

# configured for account management (authorization)

# then the user will not be allowed to login.

#pam_check_host_attr yes

 

# Group to enforce membership of

#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com

 

# Group member attribute

#pam_member_attribute uniquemember

pam_member_attribute memberUid

 

# Specify a minium or maximum UID number allowed

#pam_min_uid 0

#pam_max_uid 0

 

# Template login attribute, default template user

# (can be overriden by value of former attribute

# in user's entry)

#pam_login_attribute userPrincipalName

#pam_template_login_attribute uid

#pam_template_login nobody

 

# HEADS UP: the pam_crypt, pam_nds_passwd,

# and pam_ad_passwd options are no

# longer supported.

 

# Do not hash the password at all; presume

# the directory server will do it, if

# necessary. This is the default.

#pam_password clear

 

# Hash password locally; required for University of

# Michigan LDAP server, and works with Netscape

# Directory Server if you're using the UNIX-Crypt

# hash mechanism and not using the NT Synchronization

# service.

pam_password crypt

 

# Remove old password first, then update in

# cleartext. Necessary for use with Novell

# Directory Services (NDS)

#pam_password nds

 

# Update Active Directory password, by

# creating Unicode password and updating

# unicodePwd attribute.

#pam_password ad

 

# Use the OpenLDAP password change

# extended operation to update the password.

#pam_password exop

 

# Redirect users to a URL or somesuch on password

# changes.

#pam_password_prohibit_message Please visit http://internal to change your password.

 

# RFC2307bis naming contexts

# Syntax:

# nss_base_XXX          base?scope?filter

# where scope is {base,one,sub}

# and filter is a filter to be &'d with the

# default filter.

# You can omit the suffix eg:

# nss_base_passwd       ou=People,

# to append the default base DN but this

# may incur a small performance impact.

nss_base_passwd ou=People,dc=example,dc=com?one

nss_base_shadow ou=People,dc=example,dc=com?one

nss_base_group          ou=group,dc=example,dc=com?one

#nss_base_hosts         ou=Hosts,dc=example,dc=com?one

#nss_base_services      ou=Services,dc=example,dc=com?one

#nss_base_networks      ou=Networks,dc=example,dc=com?one

#nss_base_protocols     ou=Protocols,dc=example,dc=com?one

#nss_base_rpc           ou=Rpc,dc=example,dc=com?one

#nss_base_ethers        ou=Ethers,dc=example,dc=com?one

#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne

#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one

#nss_base_aliases       ou=Aliases,dc=example,dc=com?one

nss_base_netgroup      ou=netgroup,dc=example,dc=com?one

 

# attribute/objectclass mapping

# Syntax:

#nss_map_attribute      rfc2307attribute        mapped_attribute

#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

 

# configure --enable-nds is no longer supported.

# For NDS now do:

#nss_map_attribute uniqueMember member

 

# configure --enable-mssfu-schema is no longer supported.

# For MSSFU now do:

#nss_map_objectclass posixAccount User

#nss_map_attribute uid msSFUName

#nss_map_attribute uniqueMember posixMember

#nss_map_attribute userPassword msSFUPassword

#nss_map_attribute homeDirectory msSFUHomeDirectory

#nss_map_objectclass posixGroup Group

#pam_login_attribute msSFUName

#pam_filter objectclass=User

#pam_password ad

 

# configure --enable-authpassword is no longer supported

# For authPassword support, now do:

#nss_map_attribute userPassword authPassword

#pam_password nds

 

# For IBM SecureWay support, do:

#nss_map_objectclass posixAccount aixAccount

#nss_map_attribute uid userName

#nss_map_attribute gidNumber gid

#nss_map_attribute uidNumber uid

#nss_map_attribute userPassword passwordChar

#nss_map_objectclass posixGroup aixAccessGroup

#nss_map_attribute cn groupName

#nss_map_attribute uniqueMember member

#pam_login_attribute userName

#pam_filter objectclass=aixAccount

#pam_password clear

 

# Netscape SDK LDAPS

#ssl on

 

# Netscape SDK SSL options

#sslpath /etc/ssl/certs/cert7.db

 

# OpenLDAP SSL mechanism

# start_tls mechanism uses the normal LDAP port, LDAPS typically 636

ssl start_tls

#ssl on

 

# OpenLDAP SSL options

# Require and verify server certificate (yes/no)

# Default is "no"

tls_checkpeer yes

 

# CA certificates for server certificate verification

# At least one of these are required if tls_checkpeer is "yes"

#tls_cacertfile /etc/ssl/ca.cert

#tls_cacertdir /etc/ssl/certs

# Un-comment for RedHat

tls_cacertfile /etc/openldap/cacert.pem

# Un-comment for Others

#tls_cacertfile /usr/local/etc/openldap/cacert.pem

 

# Seed the PRNG if /dev/urandom is not provided

#tls_randfile /var/run/egd-pool

 

# SSL cipher suite

# See man ciphers for syntax

#tls_ciphers TLSv1

 

# Client certificate and key

# Use these, if your server requires client authentication.

#tls_cert

#tls_key

 

Content of /etc/openldap/ldap.conf

 

HOST    ldap1.example.com ldap2.example.com

# URI ldap://ldap1.example.com ldap://ldap2.example.com

BASE    dc=example,dc=com

 

# Un-comment for RedHat

TLS_CACERT     /etc/openldap/cacert.pem

# Un-comment for others

#TLS_CACERT      /usr/local/etc/openldap/cacert.pem

 

Note: For RHEL4/RHFC3 Client, running ※authconfig§ with TLS option selected will always add a line to use CACERTDIR method to the end of  /etc/ldap.conf, so please comment out the CACERTFILE method in /etc/ldap.conf and also /etc/openldap/ldap.conf, as shown:

 

/etc/ldap.conf:
#tls_cacertfile /etc/openldap/cacert.pem
tls_cacertdir /etc/openldap/cacerts
 
/etc/openldap/ldap.conf:
#TLS_CACERT /etc/openldap/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts

 

After that you GOT to generate the X.509 HASH which is a symbolic link to cacert.pem, you may use the following script to help you:

 

# cat get_x509_hash.sh
HASH=`openssl x509 -noout -hash -in /etc/openldap/cacert.pem`
echo Please run these commands
echo "cd /etc/openldap/cacerts"
echo "ln -s ../cacert.pem $HASH.0"

 

Step 6: Prepare /etc/openldap/cacert.pem

 

cacert.pem contains the ONE PER ORGANIZATION Self-Signed Certification Authority Certificate that was generated at the MASTER LDAP Server(s) for all OpenLDAP Clients to talk to OpenLDAP Server in "start_tls" mode (also called SSL_TLS)  at the usual LDAP port 389.

 

You must generate this file at the OpenLDAP Server, details could be found in "Installing and configuring OpenLDAP for RedHat Enterprise Linux3", and copy it over to all LDAP clients into your preferred location referenced by BOTH /etc/ldap.conf and /etc/openldap/ldap.conf.

 

The following is an example of /etc/openldap/cacert.pem.

 

-----BEGIN CERTIFICATE-----

MIIEBjCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx

ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD

VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEPMA0GA1UECxMGUExB

VFRTMSIwIAYDVQQDExluamhwbHBtb24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZI

hvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwNjAyNTExNFoXDTE0

MDcwNDAyNTExNFowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEW

MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXct

SGlsbCBDb21wYW5pZXMxDzANBgNVBAsTBlBMQVRUUzEiMCAGA1UEAxMZbmpocGxw

bW9uMS5wbGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxh

dHRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wqm6JKsUMIXRYyn

YRKDUYh//+57SJl+XSES7xz/TRO+rvfmnpZWFqHdMG6K5ruPVjQeusSQfNxuZT8T

aMOXpI0Upv2pvmGJyP88zxSN/kS6btDJHqKOrF3sp8P/BJOgDartHb2/gVcdHXYE

/QISDwMRJncE0kFOxhBJ/1U8I20CAwEAAaOCARowggEWMB0GA1UdDgQWBBQlvKCz

RfHlJXtG5ecwD0XrmLg2NzCB5gYDVR0jBIHeMIHbgBQlvKCzRfHlJXtG5ecwD0Xr

mLg2N6GBv6SBvDCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYw

FAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1I

aWxsIENvbXBhbmllczEPMA0GA1UECxMGUExBVFRTMSIwIAYDVQQDExluamhwbHBt

b24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0

dHMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdra0I6Ei

Y+qgJyzBUM2ObxYAv26hDa+Vmk0VjVDxTBpjh1+4VM7ufWitClst3MZJy/ht/8Ui

4hBC6MtOdTnMb7YxJ6dCBHQ01WKs7pTPbYGuxAweSQQ/Jx3opmh55RyqFFs1/S4f

diTGRXhlVYaLsUP6FMCyvjXe3Tg68HBLyio=

-----END CERTIFICATE-----

 

 

Step 7: Backup and Create /etc/pam.d/system-auth

 

Log in as root at the console of LDAP Client  (SSH Server)

 

Make a backup copy of /etc/pam.d/system-auth

 

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig

 

run "authconfig" to generate /etc/pam.d/system-auth for LDAP Authentication, if there is any issue, run authconfig again to restore back the original system-auth, or just restore from the backup.

 

User Information Configuration:

[*] Use LDAP

[*] Use TLS

Server: ldap1.example.com,ldap2.example.com

Base DN: dc=example,dc=com

 

Authentication Configuration:

[*] Use LDAP Authentication

[*] Use TLS

Server: ldap1.example.com,ldap2.example.com

Base DN: dc=example,dc=com

 

Tips: if the generated system-auth has a bug such that "su 每 userid" will display "incorrect password" even when correct password is provided, to fix it, replace one of the "account" lines, as shown below:

 

# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.ldapauth

9c9

< account     required      /lib/security/$ISA/pam_unix.so

---

> account     sufficient      /lib/security/$ISA/pam_unix.so

 

Content of /etc/pam.d/system-auth that will fix ※su 每 incorrect password issue§.

 

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      /lib/security/$ISA/pam_env.so

auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok

auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass

auth        required      /lib/security/$ISA/pam_deny.so

 

account     sufficient      /lib/security/$ISA/pam_unix.so

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

 

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow

password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok

password    required      /lib/security/$ISA/pam_deny.so

 

# Un-comment the next line if you want pam_mkhomedir.so to mkdir $HOME on the fly

#session    sufficient   pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     required      /lib/security/$ISA/pam_limits.so

session     required      /lib/security/$ISA/pam_unix.so

session     optional      /lib/security/$ISA/pam_ldap.so

 

NOTE 1: "authconfig" will at the end of the run, stop and restart /etc/init.d/nscd, if it hangs, press CTRL-C and then run "service nscd restart"

 

NOTE 2: if ※authconfig§ is re-run again, /etc/pam.d/system-auth will be re-generated and overwritten, therefore manual edit of this file is required if there are customizations.

 

NOTE 3: if you are using a latest update of RHEL3 or RHEL4/RHFC3, the above ※tips§ to replace the ※required§ keyword for pam_unix.so is not required, as the generated system-auth is good without ※su 每 user§ incorrect password issue.

 

Sample content of ※system-auth§ generated for RHEL3 and RHEL4/RHFC3 that works right out of the box:

 

RHEL3:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

RHEL4/RHFC3:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

That is all, reboot your LDAP Client  (SSH Server), if there is any boot issue, you may boot into RedHat Linux Rescue Mode, and try to fix the issue, if issue persists, you may restore back the original /etc/pam.d/system-auth, or run "authconfig" to generate the original.

# sync;sync;sync

# init 6

 

---End of Doc ---