[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Root not allowed to login



Hi Chris,

That's what I suspect too but I am not sure how else to tweak my pam and nsswitch files. Do you have any suggestions? Below is my pam.d/system-auth file and my nsswitch file excerpt has been attached previously.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 minlen=8 type=strong
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Is there anything amiss with my pam file? If you need to have a look at my login and sshd pam file, please tell me so.

Thanks a lot.

On Fri, Mar 23, 2012 at 9:17 AM, Chris Jacobs <Chris.Jacobs@apollogrp.edu> wrote:
The timeouts are how long to wait for ldap to respond. It should check local (normally via pam) next.

We have our user's in LDAP and can still login using the local accounts.

Your issue isn't an LDAP problem, it's a pam/nsswitch/local issue.

- chris

Chris Jacobs
Systems Administrator, Technology Services Group
 
Apollo Group  |  Apollo Marketing & Product Development  |  Aptimus, Inc.
1501 4th Ave  |  Suite 2500  |  Seattle, WA 98101
direct 206.839.8245  |  cell 206.601.3256  |  Fax 206.644.0628
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: Michael Starling <mlstarling31@hotmail.com>
Cc: openldap <openldap-technical@openldap.org>
Sent: Thu Mar 22 18:10:55 2012
Subject: Re: Root not allowed to login

Hi Michael,

I have changed the timelimit and bind_timelimit to 4 but it still checks with ldap immediately ( I mean when root logs in ). i doubt it has anything to do with the time because it checks immediately without any delay.

On Thu, Mar 22, 2012 at 9:51 PM, Michael Starling <mlstarling31@hotmail.com> wrote:
Try setting your timelimt and bind_timelimit to something like a bit lower.

timelimit 4

bind_timelimit 4


Date: Thu, 22 Mar 2012 17:03:56 +0800
Subject: Root not allowed to login
From: seauyeen@mgrc.com.my
To: openldap-technical@openldap.org


Hi,

My client is installed with RHEL 6.0 and I am using OpenLDAP 2.4. When the box loses connection with the ldap server, even the root cannot log in as it tries to bind with the ldap server. This can be seen when I log in with root and the message below appears :

sshd: pam_ldap: error trying to bind as user "uid=root, ou=People, dc=example,dc=com" (Invalid credentials).

My root user is not even in the ldap database. When connection is fine, the message above does not affect the login of root. The login of root is only screwed up when the box loses connectivity.

Attached are my pam.d/system-auth file, pam.d/login, pam./dsshd and ldap.conf files.

I have been googling around but some either switch to kerberos, or the question is left unatttended to. Please help. I can only resort to restarting the box whenever this happens. How can I configure the ldap so that local users can login when there's no connectivity to ldap server?

Thanks heaps!

--




 MGRC - Sequence. Analyse. Innovate. 
Su Seau Yeen
Manager, IT Operations

Malaysian Genomics Resource Centre Berhad (MGRC)
T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 | www.mgrc.com.my








This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is strictly prohibited. If you receive this e-mail in error, please contact us immediately by return e-mail and delete the original message(s).




--




 MGRC - Sequence. Analyse. Innovate. 
Su Seau Yeen
Manager, IT Operations

Malaysian Genomics Resource Centre Berhad (MGRC)
T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 | www.mgrc.com.my








This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is strictly prohibited. If you receive this e-mail in error, please contact us immediately by return e-mail and delete the original message(s).



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.




--




 MGRC - Sequence. Analyse. Innovate. 
Su Seau Yeen
Manager, IT Operations

Malaysian Genomics Resource Centre Berhad (MGRC)
T: +6 03 2283 1820 | F: +6 03 2282 8102 | M: +6 012 6784642 | www.mgrc.com.my








This e-mail is intended only for the use of the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient, is strictly prohibited. If you receive this e-mail in error, please contact us immediately by return e-mail and delete the original message(s).