[Spacewalk-list] Spacewalk & pam_ldap

Andy Speagle andy.speagle at wichita.edu
Tue Aug 25 16:56:07 UTC 2009 

On Tue, 2009-08-25 at 11:28 -0500, Brandon Perkins wrote:
> So, this doesn't look right to me, I'd expect something more along the
> lines of:
> 
>  #%PAM-1.0
>  auth           required        pam_env.so
>  auth           sufficient      pam_ldap.so no_user_check
>  auth           required        pam_deny.so
>  account        required        pam_ldap.so no_user_check
> 
> Notice the 'no_user_check's.  My PAM is a bit rusty, so I don't recall
> exactly what this does.  But comparing against all known working
> configurations against LDAP I see, this is the thing that stands-out
> for
> me.  There is also the outside chance (that if this is a 64-bit box)
> that the path to the library needs to be pre-pended with:
> 
> /lib64/security/

I can't imagine that this is necessary... since none of the other PAM
config files include it... and it doesn't yell at me about them being
missing.

> So its more like:
> 
>  #%PAM-1.0
>  auth           required        /lib64/security/pam_env.so
>  auth           sufficient      /lib64/security/pam_ldap.so
> no_user_check
>  auth           required        /lib64/security/pam_deny.so
>  account        required        /lib64/security/pam_ldap.so
> no_user_check

When I use "no_user_check" in my config... I see the following error
in /var/log/messages:

Aug 25 11:36:20 apptest-507 java: illegal option no_user_check

> You should also take a look at /var/log/tomcat/catalina.out when
> trying
> to log into the Web interface with this user to see if there is
> anything
> interesting being reported at the Satellite level.

The tomcat error that came out of this was:

# tail -n 0 -f /var/log/tomcat5/catalina.out
2009-08-25 11:34:27,291 [TP-Processor5] WARN
com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user
User <myuser> (id 21, org_id 1) failed with error Authentication
failure.

> Good luck!
> Brandon

Thanks... any thoughts on where to go from here?  I can't seem to get
any verbose logging from PAM... despite appending "debug" to the
pam_ldap.so lines.
-- 
Andy Speagle

"THE Student" - UCATS
Wichita State University
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20090825/ce42d84a/attachment.sig>

More information about the Spacewalk-list mailing list