[Spacewalk-list] Spacewalk & pam_ldap

Brandon Perkins bperkins at redhat.com
Tue Aug 25 16:28:58 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Andy Speagle wrote:
>> 1) Can you authenticate the user using LDAP for a different daemon,
>> like
>> SSH successfully?  If not, take another look at your authconfig.
> 
> Yes, LDAP logins for SSH authentication works well... 
> 
>> 2) Paste your /etc/pam.d/rhn-satellite file so we can take a look at
>> it.
> 
> # cat /etc/pam.d/spacewalk 
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient    pam_ldap.so
> auth        required      pam_deny.so
> account     required      pam_ldap.so
> 

So, this doesn't look right to me, I'd expect something more along the
lines of:

 #%PAM-1.0
 auth		required	pam_env.so
 auth		sufficient	pam_ldap.so no_user_check
 auth		required	pam_deny.so
 account	required	pam_ldap.so no_user_check

Notice the 'no_user_check's.  My PAM is a bit rusty, so I don't recall
exactly what this does.  But comparing against all known working
configurations against LDAP I see, this is the thing that stands-out for
me.  There is also the outside chance (that if this is a 64-bit box)
that the path to the library needs to be pre-pended with:

/lib64/security/

So its more like:


 #%PAM-1.0
 auth		required	/lib64/security/pam_env.so
 auth		sufficient	/lib64/security/pam_ldap.so no_user_check
 auth		required	/lib64/security/pam_deny.so
 account	required	/lib64/security/pam_ldap.so no_user_check

You should also take a look at /var/log/tomcat/catalina.out when trying
to log into the Web interface with this user to see if there is anything
interesting being reported at the Satellite level.

Good luck!
Brandon

>>  Your LDAP configuration may also be useful, but I would understand if
>> you don't want to share it.
> 
> Probably not going to be able to include that...
> 
>> 3) Make sure 'pam_auth_service = rhn-satellite' is
>> in /etc/rhn/rhn.conf.
>>
>> 4) If you did not use the rhn-satellite name, and instead did
>> something
>> else, you made sure that the pam.d file and the rhn.conf configuration
>> match.
> 
> They do indeed match.
> 
>> 5) Make sure you restart Spacewalk for it to take effect.
>>
>> Generally it is straight-forward, so we should be able to get you
>> moving.
> 
> After a restart, it still is a no-go for me... sadly.  In addition, I'm
> not getting ANY output in /var/log/messages regarding authentication.
> 
>> Thanks.
>> Brandon
> 
> Looking forward to a resolution.
> 
> Thanks,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org

iD8DBQFKlBFKhwQhj8l1t/cRAgBdAJ4+k+r30Be7OcBwNC835RerDwkjxACgsaSG
OyU1qkSgkcWcBQQb2GoTxLc=
=dsrU
-----END PGP SIGNATURE-----

More information about the Spacewalk-list mailing list