SELinux + pam_ldap + sudo
sub at nryc.fr
sub at nryc.fr
Sat Feb 19 14:36:58 UTC 2011
Le 17/02/2011 17:31, Marti, Robert a écrit :
>>> That doesn't seem like SELinux is interfering, it seems like an
>>> issue contacting the ldap server. If it was an SELinux issue
>>> there would be avc denials in /var/log/messages and Permissive
>>> mode would not block anything.
>>
>> As I said in my first message : "pam_ldap is correctly configured :
>> I can perform an authentication on a ssh connection".
>>
>> So there is absolutely no problem contacting the LDAP server : I
>> have a user account with no password and I can open a ssh session
>> on this server using my LDAP credentials...
>
> SELinux is good about one thing - it logs excessive amounts of
> information when it "interferes" with something. If you don't have
> any SELinux errors logged in /var/log/messages (or
> /var/log/audit/audit.log) SELinux isn't interfering, at all. If
> you're still convinced it's SELinux, disable it and see (requires a
> reboot). If it magically works, I'd love to see ls -lZ /etc/pam.d/s*
> and any AVCs in /var/log/messages.
I finally made the pam_ldap authentication work. I didn't know that
SElinux was logging into /var/log/audit/audit.log so my assumption that
it was to blame was based and the fact that my settings works on all
other SELinux-free servers.
I still don't understand how it wasn't functioning as far as this server
as the same /etc/ldap.conf and /etc/openldap/ldap.onf files, the same
certificate and was on the same network as the others (!).
Regards,
Nicolas
More information about the redhat-list
mailing list