local accounts unavailable during ldap issue
Jon Miller
jonebird at gmail.com
Mon Oct 16 19:51:33 UTC 2006
Hopefully this is a easy/common problem which I've simply not hit upon yet.
I have several RHEL 3.0 machines which have setup to authenticate to a pair
of openldap servers. Normally things are fine, but lately we've had some
issues with our LDAP servers where a query would hang in the middle. Even
worse, the replication server too displayed the same behavior. Ouch, no
logins.
Ideally this scenario would only affect employees logging into the servers
since our applications use locally setup accounts. However, this is not the
case and our LDAP issue can actually affect local account authentication as
well.
Let me jump straight into a quick test case matrix: ( here, I have changed
my /etc/ldap.conf to point to a couple of bogus servers which are merely
running netcat to simulate a "hung" ldap query)
NSS Queried Successful | Comments
LDAP LDAP ? Login? |
-----------------------------------------------------------------------------|--------------------
root login No No Yes | pam_unix
indirectly querying ldap via nss?
ldap login No Yes No | "illegal
user" without nss.
root login Yes Yes No | queries
ldap before giving prompt; ssh timeout.
ldap login Yes Yes Yes | obvious.
(only with correct servers in ldap.conf, ofcourse)
legend: "NSS LDAP": No means I only left "files" for the various dbs(passwd,
shadow, group). Yes means "ldap" is listed second in the /etc/nsswitch.conf.
The case I am interested in solving is the third. While trying to ssh into
the machine, you are never prompted a password because it is busy querying
LDAP. Compare that with my first test case with ldap left out of the
nsswitch.conf and the root login succeeds without _ever_ attempting to query
our LDAP server.
Here is what my /etc/pam.d/system-auth file looks like:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so debug
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
audit
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
debug
auth required /lib/security/$ISA/pam_deny.so debug
account required /lib/security/$ISA/pam_unix.so debug
account sufficient /lib/security/$ISA/pam_localuser.so
account required /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session requisite /lib/security/$ISA/pam_mkhomedir.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
I have methodically tested various scenarios and at this point believe
pam_unix is, one way or another, querying LDAP during it's
pam_sm_authenticate routine. But I have yet to either prove or disprove that
theory. I have the latest (RHEL 3.0) pam-0.75-69 rpm on the machine.
--
Thanks,
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20061016/eacb1001/attachment.htm>
More information about the Pam-list
mailing list