[Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts?

George Holbert gholbert at broadcom.com
Thu Mar 8 06:33:57 UTC 2007 

For RHEL3,
change:
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
to:
account     sufficient      /lib/security/$ISA/pam_unix.so broken_shadow

Keep in mind that this will make the account stack succeed in most cases 
before it hits pam_ldap, which means pam_ldap won't be used for enforcing 
account policy.  See below for an alternate method, if this matters for you.

For RHEL4, disconnected root login _should_ already be working, beause of 
the extra line:
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet

As you can probably tell, this line makes the stack succeed if the user's 
uid is less than 100, which is of course true for root.

The alternate RHEL3 fix would be to manually compile and deploy 
pam_succeed_if.so on your RHEL3 clients, and use the same system-auth you 
currently have on your RHEL4 clients.


----- Original Message ----- 
From: "MJD Shop Account" <mjdshop at earthlink.net>
To: "George Holbert" <gholbert at broadcom.com>; "General discussion list for 
the Fedora Directory server project." <fedora-directory-users at redhat.com>
Sent: Wednesday, March 07, 2007 8:13 PM
Subject: Re: [Fedora-directory-users] ldap too many connections from 
clients? following ldap even for local accounts?


> My RH3 system-auth is as follows:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_ldap.so
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_krb5.so
> #account     required      /lib/security/$ISA/pam_deny.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> session     optional      /lib/security/$ISA/pam_krb5.so
>
>
> My RH4 version   is the same, with this difference:
> --- system-auth.RH3     2006-10-25 22:49:19.000000000 -0400
> +++ system-auth.RH4     2006-10-25 22:42:05.000000000 -0400
> @@ -8,6 +8,7 @@
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> +account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
> quiet
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_ldap.so
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_krb5.so
> #account     required      /lib/security/$ISA/pam_deny.so
>
>
> -----Original Message-----
>>From: George Holbert <gholbert at broadcom.com>
>>Sent: Mar 7, 2007 8:42 PM
>>To: MJD Shop Account <mjdshop at earthlink.net>, "General discussion list for 
>>the Fedora Directory server project." <fedora-directory-users at redhat.com>
>>Subject: Re: [Fedora-directory-users] ldap too many connections from 
>>clients? following ldap even for local accounts?
>>
>>> If a machine is disconnected from the network, a login attempt as
>>> 'root' user (with local passwd file entry and password) fails.
>>> ...
>>> I think I need to configure something such that the nsswitch.conf
>>> entry tells it to stop if it finds the 'files' entry and not proceed
>>> to the 'ldap' entry.  I thought this would happen by default.
>>
>>At least for authentication, this behavior depends also on your PAM 
>>config.
>>
>>You need to make sure that the auth and account stacks will succeed for
>>local accounts (e.g., root) without asking pam_ldap.
>>What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 
>>clients?
>>
>>
>>MJD Shop Account wrote:
>>>  I'm having some odd ldap issues with connection or lack thereof to
>>> ldap server when nsswitch.conf and pam.d/system-auth are configured to
>>> used FDS ldap server.
>>>
>>> I'm running both RHEL3 and RHEL4 clients.  My servers are RHEL4 update
>>> 4 and FDS 1.0.4.  My /etc/ldap.conf is configured with two host
>>> names.  I've noticed these issues:
>>>
>>>     * If a machine is disconnected from the network, a login attempt
>>>       as 'root' user (with local passwd file entry and password)
>>>       fails.  The system appears to accept the password, but sits for
>>>       maybe a minute, then dumps you back to the login prompt.  I've
>>>       had to  boot off rescue CD and shell in to remove 'ldap' from
>>>       the /etc/nsswitch.conf file to get around this in some instances.
>>>
>>>       My relevant /etc/ldap.conf entries are:
>>>       passwd:     files ldap
>>>       shadow:     files
>>>       group:      files ldap
>>>       netgroup:   files ldap
>>>
>>>     * I noticed that a anhy randomly chosen client has a few
>>>       connections to the ldap server that persist.  The connections
>>>       are tied to processes that also should have local entries only
>>>       in the local /etc/passwd files.  Here's an example:
>>>       # netstat -a | grep ldap
>>>       tcp       38      0 clienthostname:32771 serverhostname:ldap
>>>       CLOSE_WAIT
>>>       # fuser 32771/tcp
>>>       here: 32771
>>>       32771/tcp:            3729
>>>       # ps -ef | grep 3729 | grep -v grep
>>>       ntp       3729     1  0 Feb23 ?        00:00:00 ntpd -u ntp:ntp
>>>       -p /var/run/ntpd.pid -g
>>>       #
>>>
>>>     * I notice that doing a "netstat -a" on the server that most
>>>       clients are using takes a long time.  It spits out a  bunch,
>>>       then slows down when reporting the entries that are ESTABLISHED
>>>       ldap connections:
>>>       tcp        0      0 ldapserver:ldap ldapclient:35908 ESTABLISHED
>>>       I see that some clients have very many connections, I would
>>>       expect just one or two.  Here's one client that had a whole
>>>       bunch, most disappeared before I could capture this bash shell
>>>       command output.  This output is for jobs associated with ports
>>>       connecting to ldap server:
>>>       # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" "
>>>       -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef |
>>>       grep $j | grep -v grep; done; done
>>>       xfs       2726     1  0 Feb20 ?        00:00:00 xfs -droppriv
>>>       -daemon
>>>       root      3138  3031  0 Feb20 ?        00:00:00
>>>       /usr/bin/gdm-binary bell-style none
>>>       root      3418  3138  0 18:32 ?        00:00:02 /usr/X11R6/bin/X
>>>       :0 -auth /var/gdm/:0.Xauth vt7
>>>       gdm       3430  3138  0 18:32 ?        00:00:00 
>>> /usr/bin/gdmgreeter
>>>       root      2477  2617  0 18:22 ?        00:00:01 sshd: root at pts/0
>>>       root      2481  2477  0 18:22 pts/0    00:00:00 -tcsh
>>>
>>>       I ran a similar command on a client computer where the user is
>>>       running a lot of jobs, I got 53 lines of output.  Basically
>>>       every job is maintaining an ldap connection, I guess.
>>>
>>>     * I think I need to configure something such that the
>>>       nsswitch.conf entry tells it to stop if it finds the 'files'
>>>       entry and not proceed to the 'ldap' entry.  I thought this would
>>>       happen by default.
>>>
>>>     * I think the above problem is possibly leading to many more ldap
>>>       connections than are necessary which in turn may be causing
>>>       performance issues on the server, ALTHOUGH the cpu load and
>>>       memory load does not appear inordinately heavy
>>>
>>>     * I tried running nscd (for caching the info) once, it seemed to
>>>       cause too many problems so I turned it off.  I have tried
>>>       something like implementing pam_ccache, I don't think it would
>>>       help the too-many-connections, just the issue with no logins
>>>       when off the net.
>>>
>>>     * Here's my /etc/ldap.conf minus the usual comment lines, I'm
>>>       doing anonymous binds.  Maybe there's some  keepalive flag that
>>>       should be set or unset?:
>>>       host server1 server2
>>>       base dc=example,dc=com
>>>       ldap_version 3
>>>       scope sub
>>>       bind_timelimit 10
>>>       pam_lookup_policy yes
>>>       pam_password exop
>>>       nss_base_passwd         ou=People,dc=example,dc=com?one
>>>       nss_base_group          ou=Group,dc=example,dc=com?one
>>>       nss_base_services       ou=Services,dc=example,dc=com?one
>>>       nss_base_aliases        ou=Aliases,dc=example,dc=com?one
>>>       nss_base_netgroup       ou=Netgroup,dc=example,dc=com?one
>>>       ssl start_tls
>>>       tls_checkpeer yes
>>>       tls_cacertfile /usr/share/ssl/certs/servercert.pem
>>>       tls_ciphers TLSv1
>>>       pam_password md5
>>>
>>> Any suggestions on what I might be doing  wrong are greatly appreciated!
>>>
>>> -Marty
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>>
>
>
>

More information about the Fedora-directory-users mailing list