Integrated Login Syslog Messages

If a user attempts to log in via integrated login, such as LDAP, RADIUS, or Kerberos, and is unsuccessful, a login failure message will be generated even if that user can subsequently log in using local credentials.

The message below would be generated if the user could not be obtained because the failure happened too early in the integrated process or if the exchange succeeded but the security provider configuration denied the user access. In the example below, <method> will be either password for LDAP or RADIUS or gssapi for Kerberos.

Oct 12 14:53:24 example_host BG: 1234:01:01:site=support.example.com;…<data truncated>…who=unknown () using <method>; event=login;status=failure;reason=failed

Such a scenario could cause the following sequence to occur. A user attempts integrated authentication, fails because of a technical reason, such as being unable to supply a proper service ticket for Kerberos, and as a result, no username is available. However, the user then logs in using a local account or an account on another security provider.

Oct 12 14:53:24 example_host BG: 1234:01:01:site=support.example.com;…<data truncated>…who=unknown () using gssapi; event=login;status=failure;reason=failed

Oct 12 14:53:28 example_host BG: 1234:01:01:site=support.example.com;…<data truncated>…who=John Smith(jsmith); event=login;status=success

An alternate scenario could occur if a security provider is not configured with a proper default policy or group lookup for an integrated login, or if it explicitly denies that user.

Oct 12 14:53:24 example_host BG: 1234:01:01:site=support.example.com;…<data truncated>…who=John Smith(jsmith@EXAMPLE.LOCAL);event=login;status=failure;reason=failed
Oct 12 14:53:28 example_host BG: 1234:01:01:site=support.example.com ;…<data truncated>…who=John Smith(jsmith); event=login;status=success