On Thu, Feb 11, 2010 at 12:37 PM, Sean Carolan <scarolan(a)gmail.com> wrote:
> The problem is obviously somewhere on the client side of things,
but
> where? Does anyone else out there use CentOS5 with LDAP for
> authentication? I can't imagine that my situation is unique.
A bit more investigation reveals the following:
This command prevents local users from logging on:
/usr/sbin/authconfig --enablemkhomedir --enableldap --enableldapauth
--enablecache --ldapserver=company.example.com
--ldapbasedn="dc=company,dc=com" --enableldaptls --kickstart --update
But if --enableldap is changed to --disableldap, then the local users
can log on and run sudo commands fine. This of course is all while
the LDAP server is down.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
The problem I described:
Docs will reference things like this:
account required pam_unix.so
account sufficent /usr/local/lib/pam_ldap.so
This works as long as the ldap server is up. But at some phases of pam
account 'sufficient' becomes 'required'. Also the ordering is
important thus ,Meaning during that phase when pam goes throw the user
stack it really becomes required. Thus if ldap is down, it fails.
You can play with this all day
account required /usr/local/lib/pam_ldap.so
account required pam_unix.so
Now your doomed because local users can not log in. The only correct
way to have pam work when ldap is down is like this:
account required pam_unix.so
account required /usr/local/lib/pam_ldap.so
ignore_unknown_user ignore_authinfo_unavail
Or you can replace 'ignore_unknown_user ignore_authinfo_unavail'
[default=bad success=ok user_unknown=ignore]
More or less 'ignore_unknown_user ignore_authinfo_unavail' are
special flags to the pam ldap module that make it react in a special
way when the user is not found or the ldap server is down.
True you do not have to edit pam.d/ssh as i suggested before, you can
edit the stack in a different way.
Before I go changing system-auth by hand I would like to see if there
is some way to get it working with the authconfig tool.
Authconfig is a nice tool, but I think there are many intrictate
interactions here, authconfig may not do exactly what you need in all
cases: LDAP auth is the most simple complicated thing, when you get it
rights its very clean, but there lots of layers and little settings
that have profound effects on things.