(See also related documents at http://web.singnet.com.sg/~garyttt/ )
Purpose:
The document is one of the deliverables of the ※OpenLDAP Centralized Authentication Project§, the reader may also refer to its sister documents titled ※Installing and configuring OpenLDAP for RedHat Enterprise Linux3§
This document describes the steps involved in installing and configuring an OpenSSH Server, which is also an OpenLDAP Client, with pam_ldap support on RedHat Enterprise Linux3. This is to be accessed by Windows/UNIX/Linux OpenSSH clients.
Another related document "Deploying OpenLDAP Client by using automated scripts", describes the steps involved in building up an infrastructure environment for rapid deployment of OpenLDAP Client.
NOTE: All the steps here are also applicable to RedHat Fedora Core1/2 and RedHat Linux9, as well as RHEL4/RHFC3.
Useful URLs:
﹞ SUN*s ※System Administration Guide: Security Services - May 2002§ (could be found at http://docs.sun.com)
﹞ OpenSSH: http://www.openssh.org/
﹞ OpenSSH LPK (LDAP Public Key) patch: http://www.opendarwin.org/en/projects/openssh-lpk
﹞ OpenSSL: http://www.openssl.org//
﹞ PAM: http://www.kernel.org/pub/linux/libs/pam/
﹞ PAM_LDAP and NSS_LDAP: http://www.padl.com/
Example used:
﹞ NSS_LDAP and PAM_LDAP library path: /lib and /lib/security respectively
﹞ OpenSSL install directory = /usr
﹞ OpenLDAP install directory = /usr
Observed Issues:
﹞ PuTTY SSH Protocol 1 Client DOES NOT WORK
﹞ "su 每 uid" ※incorrect password§ despite correct password entry, I have found a fix, see ※Tips§ under Step 7, this ※tips§ is not required on RHEL4/RHFC3 Client.
This step is OPTIONAL and could be skipped if you intend to use the existing nss_ldap and pam_ldap libraries already come with RHEL3.
IMPORTANT: It is highly recommended that these configuration steps be carried up at the LOCAL SYSTEM CONSOLE while logging in as root, ON TOP OF THIS, MULTIPLE REMOTE root sessions should be opened. In case of any incorrect configuration that messes up your system, it can be repaired.
For RedHat Linux systems, whenever "su 每 user" or "su 每 root" issue occurs, and you don't intend to continue troubleshooting, at these LOCAL or REMOTE root sessions, issue the command "authconfig§ and restore back the original RedHat Linux Authentication scheme (it will generate the original /etc/pam.d/system-auth file, press Ctrl-C if the screen appears freezed).
Log in as &root* at the console of LDAP Client.
IMPORTANT NOTE: You must configure/install OpenLDAP prior to nss_ldap, if not the "configure" command shown below will complain about "LDAP Library not found" as the type of LDAP is defined as "openldap".
Build nss_ldap from source:
# cd /var/tmp
# tar xvf nss_ldap.tar
# cd nss_ldap-2XX
# ./configure --libdir=/lib --with-ldap-lib=openldap --with-ldap-dir=/usr --with-ldap-conf-file=/etc/ldap.conf --with-ldap-secret-file=/etc/ldap.secret
# make clean
# make
# make install
IMPORTANT NOTE: You must configure/install nss_ldap prior to pam_ldap as it will populate /usr/local/include with header files that pam_ldap requires, depending on which version of LDAP you are using, example: ldap.h, this file is LDAP version dependant, this will avoid pam_ldap "configure" error "could not locate <ldap.h>".
Build pam_ldap from source, use EXACTLY the same configuration options:
# cd /var/tmp
# tar xvf pam_ldap.tar
# cd pam_ldap-1XX
# ./configure --libdir=/lib --with-ldap-lib=openldap --with-ldap-dir=/usr --with-ldap-conf-file=/etc/ldap.conf --with-ldap-secret-file=/etc/ldap.secret
# make clean
# make
# make install
Skip this step if it is already installed as shared libraries objects.
# cd /var/tmp
# tar xvf openssl-0.9.7e.tar
# cd openssl-0.9.7e
# ./config shared --prefix=/usr
# make clean
# make
# make install
Additional steps shown below are required to rename and hide openssl-0.9.7a original files (due to the fact that RedHat stores libssl and libcrypto shared object files at odd location, i.e. /lib).
# cd /lib
# mv -f libssl.so.4 libssl.so.4.orig
# ln -s /usr/lib/libssl.so.0.9.7 libssl.so.4
# mv -f libcrypto.so.4 libcrypto.so.4.orig
# ln -s /usr/lib/libcrypto.so.0.9.7 libcrypto.so.4
# /usr/bin/openssl
OpenSSL> version
OpenSSL 0.9.7e DD MMM YYYY
OpenSSL> exit
Prior to doing anything, backup the SUN SSH Server original configuration files and host keys.
# mkdir 每p /etc/ssh.orig
# cp /etc/ssh/* /etc/ssh.orig
Now configure OpenSSH with support for PAM and OpenSSL
NOTE: RedHat OpenSSH usually stores host keys in /etc/ssh
# cd /var/tmp
# tar xvf openssh-3.X.XpX.tar
# cd openssh-3.X.XpX
# ./configure --prefix=/usr --with-pam --sysconfdir=/etc/ssh --with-ssl-dir=/usr
# make clean
# make
# make install
(IMPORTANT Note: having --sysconfdir=/etc/ssh will preserve OpenSSH original /etc/ssh/ssh_config and /etc/ssh/sshd_config as well as host keys, but as the original sshd_config file MAY NOT include NEW settings, you MAY overwrite sshd_config with a sample from OpenSSH distribution, with references to original settings)
Create /etc/init.d/openssh.server, this step is OPTIONAL as you may use RedHat's /etc/init.d/sshd script
# touch /etc/init.d/openssh.server; chmod 744 /etc/init.d/openssh.server
#! /bin/sh
case $1 in
'start')
/usr/sbin/sshd
;;
'stop')
PID=`cat /var/run/sshd.pid`
if [ -n "$PID" ]
then
/usr/bin/kill -9 $PID
fi
;;
*)
echo "usage: /etc/init.d/sshd {start|stop}"
;;
esac
Copy (Overwrite) sample sshd_config and ssh_config from OpenSSH
# cp /var/tmp/openssh-3.X.XpX/sshd_config /etc/ssh
# cp /var/tmp/openssh-3.X.XpX/ssh_config /etc/ssh
Edit /etc/ssh/sshd_config, enable PasswordAuthentication, enable ChallengeResponseAuthentication, enable PAM and verify path for sftp-server does exist
# vi /etc/ssh/sshd_config
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
Subsystem sftp /usr/libexec/sftp-server
# Set this to 'yes' to enable
PAM keyboard-interactive authentication
# Warning: enabling this may bypass the
setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt
yes
# mkdir 每p /var/empty; chmod 755 /var/empty
# groupadd -g 999 sshd
# useradd -u 999 -g 999 每c ※sshd privilege separation§ -d /var/empty -s /bin/false sshd
Optionally, for any reason if there is a need to re-create the host keys for sshd, you may perform:
/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
Optionally, you may want to fine tune OpenSSH server for it to be more secure, i.e. use only Protocol 2, disable default PermitRootLogin, enable X11Forwarding, and so on#below is an example:
# sed -e 's/#Protocol 2,1/Protocol 2/' \
-e 's/#PermitRootLogin yes/PermitRootLogin no/' \
-e 's/#X11Forwarding no/X11Forwarding yes/' \
-e 's/#PrintMotd yes/PrintMotd no/' \
/etc/ssh/sshd_config > /etc/ssh/sshd_config_new
# mv /etc/ssh/sshd_config_new /etc/ssh/sshd_config
That*s all, kill existing SSH Server and re-start OpenSSH Server
# /etc/init.d/sshd stop; /etc/init.d/openssh.server start
OR use the RedHat's way:
# service sshd restart
There are two ldap.conf files, one for pam_ldap, which is usually named /etc/ldap.conf, another for OpenLDAP client, which is usually named /etc/openldap/ldap.conf:
Create these two files.
Content of /etc/ldap.conf, those in green are required entries.
# List two or more LDAP servers if failover is required
host ldap1.example.com ldap2.example.com
# ※host§ directive may be deprecated in future releases,
# you may wish to use &uri* directive to replace ※host§ directive
# uri ldap://ldap1.example.com ldap://ldap2.example.com
base dc=example,dc=com
ldap_version 3
binddn cn=proxyagent,ou=profile,dc=example,dc=com
bindpw password
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=example,dc=com
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
# Bind timelimit
#bind_timelimit 30
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
pam_member_attribute memberUid
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=example,dc=com?one
nss_base_shadow ou=People,dc=example,dc=com?one
nss_base_group ou=group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
nss_base_netgroup ou=netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member
# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds
# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Un-comment for RedHat
tls_cacertfile /etc/openldap/cacert.pem
# Un-comment for Others
#tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Content of /etc/openldap/ldap.conf
HOST ldap1.example.com ldap2.example.com
# URI ldap://ldap1.example.com ldap://ldap2.example.com
BASE dc=example,dc=com
# Un-comment for RedHat
TLS_CACERT /etc/openldap/cacert.pem
# Un-comment for others
#TLS_CACERT /usr/local/etc/openldap/cacert.pem
Note: For RHEL4/RHFC3 Client, running ※authconfig§ with TLS option selected will always add a line to use CACERTDIR method to the end of /etc/ldap.conf, so please comment out the CACERTFILE method in /etc/ldap.conf and also /etc/openldap/ldap.conf, as shown:
/etc/ldap.conf:
#tls_cacertfile /etc/openldap/cacert.pem
tls_cacertdir /etc/openldap/cacerts
/etc/openldap/ldap.conf:
#TLS_CACERT /etc/openldap/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
After that you GOT to generate the X.509 HASH which is a symbolic link to cacert.pem, you may use the following script to help you:
# cat get_x509_hash.sh
HASH=`openssl x509 -noout -hash -in /etc/openldap/cacert.pem`
echo Please run these commands
echo "cd /etc/openldap/cacerts"
echo "ln -s ../cacert.pem $HASH.0"
cacert.pem contains the ONE PER ORGANIZATION Self-Signed Certification Authority Certificate that was generated at the MASTER LDAP Server(s) for all OpenLDAP Clients to talk to OpenLDAP Server in "start_tls" mode (also called SSL_TLS) at the usual LDAP port 389.
You must generate this file at the OpenLDAP Server, details could be found in "Installing and configuring OpenLDAP for RedHat Enterprise Linux3", and copy it over to all LDAP clients into your preferred location referenced by BOTH /etc/ldap.conf and /etc/openldap/ldap.conf.
The following is an example of /etc/openldap/cacert.pem.
-----BEGIN CERTIFICATE-----
MIIEBjCCA2+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYD
VQQKEx1QTEFUVFMsIE1jR3Jhdy1IaWxsIENvbXBhbmllczEPMA0GA1UECxMGUExB
VFRTMSIwIAYDVQQDExluamhwbHBtb24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZI
hvcNAQkBFhNnYXJ5X3RheUBwbGF0dHMuY29tMB4XDTA0MDcwNjAyNTExNFoXDTE0
MDcwNDAyNTExNFowgbkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTEmMCQGA1UEChMdUExBVFRTLCBNY0dyYXct
SGlsbCBDb21wYW5pZXMxDzANBgNVBAsTBlBMQVRUUzEiMCAGA1UEAxMZbmpocGxw
bW9uMS5wbGF0dHMubWhtLm1oYzEiMCAGCSqGSIb3DQEJARYTZ2FyeV90YXlAcGxh
dHRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0wqm6JKsUMIXRYyn
YRKDUYh//+57SJl+XSES7xz/TRO+rvfmnpZWFqHdMG6K5ruPVjQeusSQfNxuZT8T
aMOXpI0Upv2pvmGJyP88zxSN/kS6btDJHqKOrF3sp8P/BJOgDartHb2/gVcdHXYE
/QISDwMRJncE0kFOxhBJ/1U8I20CAwEAAaOCARowggEWMB0GA1UdDgQWBBQlvKCz
RfHlJXtG5ecwD0XrmLg2NzCB5gYDVR0jBIHeMIHbgBQlvKCzRfHlJXtG5ecwD0Xr
mLg2N6GBv6SBvDCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRYw
FAYDVQQHEw1OZXcgWW9yayBDaXR5MSYwJAYDVQQKEx1QTEFUVFMsIE1jR3Jhdy1I
aWxsIENvbXBhbmllczEPMA0GA1UECxMGUExBVFRTMSIwIAYDVQQDExluamhwbHBt
b24xLnBsYXR0cy5taG0ubWhjMSIwIAYJKoZIhvcNAQkBFhNnYXJ5X3RheUBwbGF0
dHMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAdra0I6Ei
Y+qgJyzBUM2ObxYAv26hDa+Vmk0VjVDxTBpjh1+4VM7ufWitClst3MZJy/ht/8Ui
4hBC6MtOdTnMb7YxJ6dCBHQ01WKs7pTPbYGuxAweSQQ/Jx3opmh55RyqFFs1/S4f
diTGRXhlVYaLsUP6FMCyvjXe3Tg68HBLyio=
-----END CERTIFICATE-----
Log in as root at the console of LDAP Client (SSH Server)
Make a backup copy of /etc/pam.d/system-auth
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig
run "authconfig" to generate /etc/pam.d/system-auth for LDAP Authentication, if there is any issue, run authconfig again to restore back the original system-auth, or just restore from the backup.
User Information Configuration:
[*] Use LDAP
[*] Use TLS
Server: ldap1.example.com,ldap2.example.com
Base DN: dc=example,dc=com
Authentication Configuration:
[*] Use LDAP Authentication
[*] Use TLS
Server: ldap1.example.com,ldap2.example.com
Base DN: dc=example,dc=com
Tips: if the generated system-auth has a bug such that "su 每 userid" will display "incorrect password" even when correct password is provided, to fix it, replace one of the "account" lines, as shown below:
# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.ldapauth
9c9
< account required /lib/security/$ISA/pam_unix.so
---
> account sufficient /lib/security/$ISA/pam_unix.so
Content of /etc/pam.d/system-auth that will fix ※su 每 incorrect password issue§.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
# Un-comment the next line if you want pam_mkhomedir.so to mkdir $HOME on the fly
#session sufficient pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
NOTE 1: "authconfig" will at the end of the run, stop and restart /etc/init.d/nscd, if it hangs, press CTRL-C and then run "service nscd restart"
NOTE 2: if ※authconfig§ is re-run again, /etc/pam.d/system-auth will be re-generated and overwritten, therefore manual edit of this file is required if there are customizations.
NOTE 3: if you are using a latest update of RHEL3 or RHEL4/RHFC3, the above ※tips§ to replace the ※required§ keyword for pam_unix.so is not required, as the generated system-auth is good without ※su 每 user§ incorrect password issue.
Sample content of ※system-auth§ generated for RHEL3 and RHEL4/RHFC3 that works right out of the box:
RHEL3:
#%PAM-1.0
#
This file is auto-generated.
# User changes will be destroyed the next time
authconfig is run.
auth
required /lib/security/$ISA/pam_env.so
auth sufficient
/lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient
/lib/security/$ISA/pam_ldap.so use_first_pass
auth
required /lib/security/$ISA/pam_deny.so
account
required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore]
/lib/security/$ISA/pam_ldap.so
password
required /lib/security/$ISA/pam_cracklib.so
retry=3 type=
password sufficient
/lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password sufficient
/lib/security/$ISA/pam_ldap.so use_authtok
password
required /lib/security/$ISA/pam_deny.so
session
required /lib/security/$ISA/pam_limits.so
session required
/lib/security/$ISA/pam_unix.so
session
optional
/lib/security/$ISA/pam_ldap.so
RHEL4/RHFC3:
#%PAM-1.0
#
This file is auto-generated.
# User changes will be destroyed the next time
authconfig is run.
auth
required /lib/security/$ISA/pam_env.so
auth sufficient
/lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient
/lib/security/$ISA/pam_ldap.so use_first_pass
auth
required /lib/security/$ISA/pam_deny.so
account
required /lib/security/$ISA/pam_unix.so
broken_shadow
account sufficient
/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account
required /lib/security/$ISA/pam_permit.so
password
requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient
/lib/security/$ISA/pam_unix.so nullok use_authtok shadow
password sufficient
/lib/security/$ISA/pam_ldap.so use_authtok
password
required /lib/security/$ISA/pam_deny.so
session
required /lib/security/$ISA/pam_limits.so
session required
/lib/security/$ISA/pam_unix.so
session
optional /lib/security/$ISA/pam_ldap.so
That is all, reboot your LDAP Client (SSH Server), if there is any boot issue, you may boot into RedHat Linux Rescue Mode, and try to fix the issue, if issue persists, you may restore back the original /etc/pam.d/system-auth, or run "authconfig" to generate the original.
# sync;sync;sync
# init 6
---End of Doc ---