Hi,
I have configured a mixed authentication systems (LDAP + System Users). On this system some users are configure to login via ldap rest as system users. I observed that if the ldap server goes down, system users also not able to login. Is there any way to prevent this, following my pam configuration.
system-auth :
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 debug minclass=4 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
nsswitch.conf --------------------- passwd: files ldap shadow: files ldap group: files ldap
I get following errors in syslog, even after proving correct password.
sshd[23564]: nss_ldap: failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server sshd[23564]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... sshd[23568]: pam_ldap: ldap_simple_bind Can't contact LDAP server sshd[23568]: Failed password for testuser from 1.2.3.4 port 33324 ssh2 sshd[23571]: fatal: Access denied for user testuser by PAM account configuration
Regards,
Meghanand N. Acharekar
On Thursday, 3 February 2011 14:34:21 Meghanand Acharekar wrote:
Hi,
I have configured a mixed authentication systems (LDAP + System Users). On this system some users are configure to login via ldap rest as system users. I observed that if the ldap server goes down, system users also not able to login. Is there any way to prevent this, following my pam configuration.
system-auth :
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet
Replace the above line with: account sufficient pam_localuser.so
If you have pam_localuser.so available (you didn't mention which distro, but it seems to be RH-derived).
Regards, Buchan
Thanks for the information.
But is not working for me.
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
In Syslog (/var/log/secure) its keep on printing.
Accepted password for testuser from 1.2.3.4 port 46747 ssh2 failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 4 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 8 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 16 seconds)...
Yes, I'm using RHEL-5.4
Thanks & Regards, Meghanand N. Acharekar
On Thu, Feb 3, 2011 at 8:06 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Thursday, 3 February 2011 14:34:21 Meghanand Acharekar wrote:
Hi,
I have configured a mixed authentication systems (LDAP + System Users). On this system some users are configure to login via ldap rest as system users. I observed that if the ldap server goes down, system users also not able
to
login. Is there any way to prevent this, following my pam configuration.
system-auth :
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet
Replace the above line with: account sufficient pam_localuser.so
If you have pam_localuser.so available (you didn't mention which distro, but it seems to be RH-derived).
Regards, Buchan
On Friday, 4 February 2011 09:57:36 Meghanand Acharekar wrote:
Thanks for the information.
But is not working for me.
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
In Syslog (/var/log/secure) its keep on printing.
Accepted password for testuser from 1.2.3.4 port 46747 ssh2
So, PAM authentication seems to have succeeded.
failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 4 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 8 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 16 seconds)...
Yes, I'm using RHEL-5.4
This is a different part of the problem. The easiest (but not necessarily best, depending on your nss_ldap configuration, which you did not supply) is:
echo "bind_policy soft" >> /etc/ldap.conf
Regards, Buchan
Great !!!,
Thats what I was looking for. Thanks.
Regards, Meghanand N. Acharekar
On Fri, Feb 4, 2011 at 1:58 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Friday, 4 February 2011 09:57:36 Meghanand Acharekar wrote:
Thanks for the information.
But is not working for me.
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
In Syslog (/var/log/secure) its keep on printing.
Accepted password for testuser from 1.2.3.4 port 46747 ssh2
So, PAM authentication seems to have succeeded.
failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 4 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 8 seconds)... failed to bind to LDAP server ldap://10.0.119.36/: Can't contact LDAP server reconnecting to LDAP server (sleeping 16 seconds)...
Yes, I'm using RHEL-5.4
This is a different part of the problem. The easiest (but not necessarily best, depending on your nss_ldap configuration, which you did not supply) is:
echo "bind_policy soft" >> /etc/ldap.conf
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Meghanand Acharekar