Hello. I am trying to get PAM and LDAP to work together to authenticate users on a Suse 6.0 system. I want to use one system to store all account information and authenticate users for a network of systems using LDAP. But, I am having some trouble getting to authenticate users correctly. This is the scenario: I have all of the required software (at least I think I do): PAM 0.68 Simple PAM apps (login, passwd, su, etc.) OpenLDAP pam_ldap module nss_ldap module All are up and running fine - it's my assumption that PAM will run if you: 1) install the config files 2) install the PAM-aware apps I don't think that you have to do anything else. I can query the LDAP database and get user information from the command line. And, it is queried whenever someone logs in. I have three users: user1 - info in /etc/ flat files user2 - info in flat files and ldap db (but different passwords in each) user3 - info only in ldap When I try to log in, this is what I get from the system logs: user1 - ldap db queried, nentires=0 (user not there) Is authenticated and let in to system user2 - db queried, neentries=1 (user there) Not authenticated using passowrd from ldap db Authenticated using password from /etc/passwd (or /etc/shadow - whichever one has the first entry) Log file says "Invalid login from 'user2'" when it fails (when I use the password from the LDAP database) user3 - db queried, nentries=1 (user there) Not authenticated at all Log files say "Invalid login from UNKNOWN" This is what the /etc/pam.d/login file looks like: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so account sufficient /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so session required /lib/security/pam_unix.so debug session required /lib/security/pam_unix_session.so This is /etc/nsswitch.conf: passwd: ldap files groups: ldap files shadow: ldap files Somethings that I have played with, that may help or not: Adding objectclass posixAccount, posixGroup, and shadowAccount to the ldap entries. Currently, user2 and user3 have the objectclass posixAccount associated with them. Is adding these objectclasses necessary? The system does use shadow, though it seems with the login file above, it shouldn't query it (but it must to get user1's password, since they are getting let in). Also, is it necessary to have user information in the /etc/ flat files? My whole point is to get away from that, but it seems that I might not be able to yet. I've heard accounts of several people getting this to work on RedHack 6.x. I think that you can install a lot of this stuff during the install, but other than that, I don't understand why it won't work here. My guess that I am overlooking some very minor detail. Can anyone offer any kind of insight to this? thanks, -pat mochel -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/