[Spacewalk-list] Spacewalk & pam_ldap

Brandon Perkins bperkins at redhat.com
Tue Aug 25 17:03:20 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Andy Speagle wrote:
> On Tue, 2009-08-25 at 11:28 -0500, Brandon Perkins wrote:
>> So, this doesn't look right to me, I'd expect something more along the
>> lines of:
>>
>>  #%PAM-1.0
>>  auth           required        pam_env.so
>>  auth           sufficient      pam_ldap.so no_user_check
>>  auth           required        pam_deny.so
>>  account        required        pam_ldap.so no_user_check
>>
>> Notice the 'no_user_check's.  My PAM is a bit rusty, so I don't recall
>> exactly what this does.  But comparing against all known working
>> configurations against LDAP I see, this is the thing that stands-out
>> for
>> me.  There is also the outside chance (that if this is a 64-bit box)
>> that the path to the library needs to be pre-pended with:
>>
>> /lib64/security/
> 
> I can't imagine that this is necessary... since none of the other PAM
> config files include it... and it doesn't yell at me about them being
> missing.
> 
>> So its more like:
>>
>>  #%PAM-1.0
>>  auth           required        /lib64/security/pam_env.so
>>  auth           sufficient      /lib64/security/pam_ldap.so
>> no_user_check
>>  auth           required        /lib64/security/pam_deny.so
>>  account        required        /lib64/security/pam_ldap.so
>> no_user_check
> 
> When I use "no_user_check" in my config... I see the following error
> in /var/log/messages:
> 
> Aug 25 11:36:20 apptest-507 java: illegal option no_user_check
> 
>> You should also take a look at /var/log/tomcat/catalina.out when
>> trying
>> to log into the Web interface with this user to see if there is
>> anything
>> interesting being reported at the Satellite level.
> 
> The tomcat error that came out of this was:
> 
> # tail -n 0 -f /var/log/tomcat5/catalina.out
> 2009-08-25 11:34:27,291 [TP-Processor5] WARN
> com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user
> User <myuser> (id 21, org_id 1) failed with error Authentication
> failure.
> 
>> Good luck!
>> Brandon
> 
> Thanks... any thoughts on where to go from here?  I can't seem to get
> any verbose logging from PAM... despite appending "debug" to the
> pam_ldap.so lines.

Wow, you're starting to get me stumped!  Next thing I'm curious about is
your version of jpam:

rpm -q --queryformat "%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n" jpam

Thanks.
Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org

iD8DBQFKlBlYhwQhj8l1t/cRAgr5AJ9BpTr98rnyC2UB6PiWPFty/LDZ5wCggU1V
z+dWifchOR8R+el5VOCIkNU=
=KXmy
-----END PGP SIGNATURE-----

More information about the Spacewalk-list mailing list