[389-users] Migrating to LDAP authentication
patrick.morris at hp.com
patrick.morris at hp.com
Fri Feb 12 10:32:18 UTC 2010
Hi Sean!
On Fri, 12 Feb 2010, Sean Carolan wrote:
> > Is "invalid user" all you're seeing in the log? Generally, at least with
> > OpenSSH, if the user is being denied because it's not in a valid group,
> > the logs will say so. They'll also generally tell you if it's because it
> > couldn't find the user at all (often with exactly what it did to try to
> > find the user).
>
> Here's what I'm seeing:
>
> Feb 12 16:02:49 watcher sshd[953]: User scarolan from 10.2.3.102 not
> allowed because none of user's groups are listed in AllowGroups
>
> I have UsePAM turned on, and getent group shows me in the "operations"
> group. I wonder why sshd is not seeing that I'm in the operations
> group?
You don't also have the "operations" group defined in LDAP by any
chance, do you?
If you're going to start mixing local and LDAP stuff that way, you're
going to run into some fun-to-debug strangeness if you're not careful
about them all being identical.
I'm guessing you've also defined the group in LDAP either with different
members or a different GID, or that you've done the same with the user.
More information about the 389-users
mailing list