Re: [rhelv5-list] struggling with LDAP authentication

[Craig White <craig tobyhouse com>]

On Mon, 2007-05-14 at 15:51 -0700, Joshua M. Miller wrote:
> Is this a client or is this the LDAP server?
----
This is both the master server and of course, a client for users
----
>   Also, which LDAP server do 
> you employ?
----
# rpm -qa|grep openldap
openldap-servers-2.3.27-5
openldap-2.3.27-5
openldap-clients-2.3.27-5

the version that comes from RHELv5

I have this same setup on many different networks and have never had a
problem with RHEL 3 or RHEL 4 but something doesn't seem to work right
in RHELv5 even though I have chosen 'local authentication is sufficient'
in the checkbox of 'system-config-authentication' just like always as
you can sort of tell from the contents of /etc/pam.d/system-auth below
----
> 
> Thanks,
> --
> Joshua M. Miller - RHCE,VCP
> 
> 
> Craig White wrote:
> > My main server, I upgraded from RHEL 3 to RHEL 5 and I imported my LDAP
> > DSA to the upgraded server which is the main server for our network
> > including the LDAP master.
> > 
> > I want to use both local authentication and LDAP authentication as I
> > normally do but I am really struggling here.
> > 
> > in /etc/nsswitch:
> > passwd:     files ldap
> > shadow:     files ldap
> > group:      files ldap
> > 
> > which is normal
> > 
> > and 'getent passwd' command will return all my users & groups from
> > both /etc/passwd|group and LDAP and users can login to various services
> > from either LDAP or /etc/passwd
> > 
> > # ssh root localhost
> > root localhost's password:
> > Last login: Mon May 14 11:24:12 2007 from xxx
> > [root srv1 ~]# exit
> > 
> > that works well (root from /etc/passwd)
> > 
> > # ssh craig localhost
> > craig localhost's password:
> > -sh-3.1$
> > 
> > that works well (craig is in LDAP not /etc/passwd)
> > 
> > But if I try to restart services whose user is in /etc/passwd such as
> > restarting LDAP, BIND (named), etc. the system hangs and hopefully times
> > out and it even prevents it from booting up unless I shut off LDAP
> > authentication on startup and set it after startup
> > 
> > # cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_ldap.so use_first_pass
> > auth        required      pam_deny.so
> > 
> > account     required      pam_unix.so broken_shadow
> > account     sufficient    pam_localuser.so
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> > account     required      pam_permit.so
> > 
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password    sufficient    pam_ldap.so use_authtok
> > password    required      pam_deny.so
> > 
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in
> > crond quiet use_uid
> > session     required      pam_unix.so
> > session     optional      pam_ldap.so
> > 
> > HELP!
> > 
> 
> _______________________________________________
> rhelv5-list mailing list
> rhelv5-list redhat com
> https://www.redhat.com/mailman/listinfo/rhelv5-list
-- 
Craig White <craig tobyhouse com>