[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Modules / System-Auth

Wrong list for PAM problems.  But your bug is documented here:


There are two different fixes described, I've used both and they both work.  I 
don't know why Nalin never fixed it in the Red Hat errata, since it's clearly a 
bug in Red Hat's authconfig tool (which writes the pam and nss config files).

Further discussion of this problem belongs on another list.  Probably the Red 
Hat bug list, where it ought to be mentioned as frequently as possible.


On 20 Jan 2004 at 15:32, Michael Lackner wrote:
> It seems as if my OpenLDAP Server is now up and running, i can
> authenticate users against the LDAP Server. However, as soon as
> i deactivate the LDAP Server (OpenLDAP 2.0.27-8), i cannot login,
> not even with users that are stored in the common Linux files, I
> have been told / i have read, that this is a common problem with
> PAM frequently discussed here.
> I'm currently using some older packages that can be found as RPM's
> on the RH9 CD's, server is set up with RH9 in that case of course.
> --
> OpenLDAP 2.0.27-8
> pam-0.75-48
> openssl-0.9.7c-3 (installed for gq)
> gq-
> --
> I logged in as root, shut down the LDAP server, then logged out
> and tried to log in again. I also tried to login as an LDAP-only
> stored user to see how this would show up in the syslog. Here
> it is (The LDAP only user is "testuser"):
> /var/log/messages:
> ------------------------------
> login(pam_unix)[3409]: session opened for user root by LOGIN(uid=0)
> -- root[3409]: ROOT LOGIN ON tty1
> ldap: slapd shutdown succeeded
> login(pam_unix)[3409]: session closed for user root
> login(pam_unix)[3498]: check pass; user unknown
> login(pam_unix)[3498]: authentication failure; logname= uid=0 euid=0
> tty=tty1 ruser= rhost=
> login(pam_unix)[3498]: could not identify user (from getpwnam(testuser))
> login[3498]: pam_ldap: ldap_simple_bind Can't contact LDAP server
> ------------------------------
> /etc/pam.d/system-auth (generated by RH9 authconfig with ldap enabled)
> ------------------------------
> auth    required    /lib/security/$ISA/pam_env.so
> auth    sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth    sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth    required    /lib/security/$ISA/pam_deny.so
> account    required    /lib/security/$ISA/pam_unix.so
> account    [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore]    /lib/security/$ISA/pam_ldap.so
> password    required    /lib/security/$ISA/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authok
> password    required    /lib/security/$ISA/pam_deny.so
> session    required    /lib/security/$ISA/pam_limits.so
> session    required    /lib/security/$ISA/pam_unix.so
> session    required    /lib/security/$ISA/pam_ldap.so
> ------------------------------
> /etc/pam.d/login:
> ------------------------------
> auth    required    pam_securetty.so
> auth    sufficient    pam_stack.so service=system-auth
> auth    required    pam_nologin.so
> account    required    pam_stack.so service=system-auth
> password    required    pam_stack.so service=system-auth
> session    required    pam_stack.so service=system-auth
> session    optional    pam_console.so
> ------------------------------
> If you need more information, please let me know.