[Fwd: [Fwd: Re: LDAP Pam issue]]

Tue Jul 22 11:51:50 GMT 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fyi! i dunno if it's an issue for us but it looks like good work...
wanted to post it here for future reference!

- -------- Original Message --------
Subject: [Fwd: Re: LDAP Pam issue]
Date: Mon, 21 Jul 2003 04:48:34 -0400
From: Chuck Mead <csm at redhat.com>
Organization: Red Hat, Inc.
To: csm at lunar-linux.org

- -------- Original Message --------
Subject:     Re: LDAP Pam issue
Date:     22 Jul 2003 12:42:37 -0400
From:     Brad Smith <brads at redhat.com>
Reply-To:     gls-instructor-list at redhat.com
To:     gls-instructor-list at redhat.com
References:     <1058890176.2947.195.camel at mei.geekdome.lan>

The student started poking through the code for the ldap module (I told
you he was good) and found the problem. Got to go back to class now, but
it's a problem with the arguments passed to pam_ldap.so in the account
context, which causes it to return a fail if it cannot reach the server.
Since this is required, the user cannot log in even as a local user if
the machine loses contact with its ldap server. Whoops!

I'll submit it to bugzilla this evening. For those who are interested,
the correct line in system-auth (according to him, I haven't checked it)
should be:

account [default=bad authinfo_unavail=ignore]
/lib/secure/$ISA/pam_ldap.so

authconfig does not currently include the authinfo_unavail line, which
causes the default 'bad' failure to be sent when ldap is down.

- --Brad

On Tue, 2003-07-22 at 12:09, Brad Smith wrote:
| I have a student who posed an interesting question about a possible bug
| and I thought I'd pass it on to see if anybody else has run into it or
| has suggestions.
|
| But first, for future reference, is sending this sort of thing to the
| list appropriate?
|
| Here's the issue: In rh300 we were talking about PAM and the different
| control flags: required, sufficient, etc. One of my students said that
| he'd been trying to get ldap going at work but was having a problem with
| PAM. His system auth looks almost exactly like the examples I've seen in
| online tutorials: He has pam_unix listed before the ldap module and they
| are both 'sufficient'. However, if the ldap server becomes unavailable
| and he tries to log in as a system user (ie root) he gets denied and the
| logs show the ldap module complaining about not being able to find a
| server. But unless we're both really misunderstanding the way PAM works,
| if pam_unix is first and pam_unix is 'sufficient' and he logs in as a
| non-ldap user, then PAM should never even get to the ldap stage, much
| less cause him to be unable to log in, right? This guy has really
| impressed me with his knowledge, so I doubt it's a 'dummy' error. Maybe
| this is a known problem? I didn't find anything looking online.
|
| In any case, I told him I'd see if anyone else knew of the issue and
| that I'd get back to him on it. Comments?
|
| --Brad Smith
|
|

- --
Chuck Mead <csm at redhat.com>
Instructor II, GLS
Disclaimer: I am not a curmudgeon! No... really...

- --
csm
Lunar Linux Project Leader
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/HWulq3bny/5+GAcRAkreAJkBJKZSBHS4Whss/Rzv+sOxbFeqkACfUYyl
FTYT1jiPMoyKGk23qHBOHJ0=
=FlMf
-----END PGP SIGNATURE-----