I am trying to configure Active Directory authentication to SUSE Linux Enterprise Server 11 (x86_64) sever, but somehow we are not able to succeed. in warn file logs are showing error message “nss_ldap: could not search LDAP server - Server is unavailable”… and I am able to do the ldapsearch from SUSE server with same user.
I used yast to configure LDAP client… does anyone has any idea why we getting this?
below lines are from messages file…
suselx01 sshd[13631]: Invalid user from 14.x.x.x
suselx01 sshd[13633]: pam_ldap: ldap_search_s Operations error
suselx01 sshd[13631]: error: PAM: User not known to the underlying authentication module for illegal user from 14.x.x.x
suselx01 sshd[13631]: Failed keyboard-interactive/pam for invalid user from 14.x.x.x port 61072 ssh2
suselx01 sshd[13637]: Accepted keyboard-interactive/pam for root from 14.x.x.x port 61073 ssh2
suselx01 sshd[13635]: pam_unix2(sshd:auth): conversation failed
suselx01 sshd[13635]: pam_ldap: ldap_search_s Operations error
suselx01 sshd[13635]: error: ssh_msg_send: write
I did lot of research on net to figure out why it is not working… I didn’t find any helpful data. I even opened case with IBM to see why it is not working … not much help from them as well.
I am using nss_ldap and pam_ldap … and I just need to login to box using AD credentials… not sure where the issue is… it is simply throwing below error it doesn’t matter what changes I done on configuration.
Invalid user xxx\xxxxx
error: PAM: User not known to the underlying authentication module for illegal user xxx/xxxx
Failed keyboard-interactive/pam for invalid user xxx/xxx port 54163 ssh2
I think Linux is sending one format and AD is configured another format… like Linux is sending posixaccount and AD is looking UID…
in your initial message you said that your ldapsearch worked fine using that same user - did you search for the user entry or did you specify the user DN as the bind DN?
While I have not had to bind against AD yet, if ldapsearch works, you can get nss_dap working, too
Have you enabled the settings in /etc/ldap.conf’s “# RFC 2307 (AD) mappings” section?