[Spacewalk-list] Spacewalk & pam_ldap
Brandon Perkins
bperkins at redhat.com
Tue Aug 25 16:28:58 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andy Speagle wrote:
>> 1) Can you authenticate the user using LDAP for a different daemon,
>> like
>> SSH successfully? If not, take another look at your authconfig.
>
> Yes, LDAP logins for SSH authentication works well...
>
>> 2) Paste your /etc/pam.d/rhn-satellite file so we can take a look at
>> it.
>
> # cat /etc/pam.d/spacewalk
> #%PAM-1.0
> auth required pam_env.so
> auth sufficient pam_ldap.so
> auth required pam_deny.so
> account required pam_ldap.so
>
So, this doesn't look right to me, I'd expect something more along the
lines of:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_ldap.so no_user_check
auth required pam_deny.so
account required pam_ldap.so no_user_check
Notice the 'no_user_check's. My PAM is a bit rusty, so I don't recall
exactly what this does. But comparing against all known working
configurations against LDAP I see, this is the thing that stands-out for
me. There is also the outside chance (that if this is a 64-bit box)
that the path to the library needs to be pre-pended with:
/lib64/security/
So its more like:
#%PAM-1.0
auth required /lib64/security/pam_env.so
auth sufficient /lib64/security/pam_ldap.so no_user_check
auth required /lib64/security/pam_deny.so
account required /lib64/security/pam_ldap.so no_user_check
You should also take a look at /var/log/tomcat/catalina.out when trying
to log into the Web interface with this user to see if there is anything
interesting being reported at the Satellite level.
Good luck!
Brandon
>> Your LDAP configuration may also be useful, but I would understand if
>> you don't want to share it.
>
> Probably not going to be able to include that...
>
>> 3) Make sure 'pam_auth_service = rhn-satellite' is
>> in /etc/rhn/rhn.conf.
>>
>> 4) If you did not use the rhn-satellite name, and instead did
>> something
>> else, you made sure that the pam.d file and the rhn.conf configuration
>> match.
>
> They do indeed match.
>
>> 5) Make sure you restart Spacewalk for it to take effect.
>>
>> Generally it is straight-forward, so we should be able to get you
>> moving.
>
> After a restart, it still is a no-go for me... sadly. In addition, I'm
> not getting ANY output in /var/log/messages regarding authentication.
>
>> Thanks.
>> Brandon
>
> Looking forward to a resolution.
>
> Thanks,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org
iD8DBQFKlBFKhwQhj8l1t/cRAgBdAJ4+k+r30Be7OcBwNC835RerDwkjxACgsaSG
OyU1qkSgkcWcBQQb2GoTxLc=
=dsrU
-----END PGP SIGNATURE-----
More information about the Spacewalk-list
mailing list