LDAP authentication problem with Local user auth when LDAP not available

Latest response

Hi,

I have a problem with LDAP authentication on RHEL6.4. Using nslcd authenticating against Domino LDAP.
I have no problems with talking to LDAP and its authenticating users with no problems, issue appears when there is no available LDAP server to respond (i.ex: network interface down / not yet configured vm deployed from template).

I can not log in using console login either. There is a message flashing quickly (something about no authentication mechanism found or similar) and gets back to Login prompt:.
secure log just shows: pam_ldap: ldap_simple_bind Can't contact LDAP server.

I tried to google and all answers I got was referring to use: nss_initgroups_ignoreusers , or ALLLOCAL - which I have but I still can't log in as local user when LDAP is unreachable.

my /etc/nslcd.conf:

uri ldap://ldap-ah.internal.XX.XX.com/ ldap://ldap-lhc.internal.XX.XX.com/
ldap_version 3
base o=TPP
binddn cn=<LDAP user>
bindpw <ldap pass>
bind_timelimit 30
timelimit 30
nss_initgroups_ignoreusers ALLLOCAL

map    passwd uid              unixloginid
map    shadow uid              unixloginid
map    group  uniqueMember     member
uid nslcd
gid ldap

/etc/pam_ldap.conf:

host ldap-ah.internal.XX.XX.com ldap-lhc.internal.XX.XX.com
base o=TPP
ldap_version 3
binddn cn=<LDAP user>
bindpw <LDAP pass>
pam_filter objectclass=inetOrgPerson
pam_login_attribute unixloginid
pam_template_login_attribute unixloginid
pam_password md5
pam_password_prohibit_message Please contact internal.support@XX.XX.com to change your password
nss_map_attribute uid unixloginid

/etc/nsswitch.conf:

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

/etc/sysconfig/authconfig:

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=yes
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USEDB=no
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
PASSWDALGORITHM=sha512
USELDAPAUTH=yes
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELDAP=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEHESIOD=no

/etc/pam.d/password-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so md5 use_authok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

/etc/pam.d/system-auth-ac:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     [default=bad success=ok user_unknown=ignore]  pam_ldap.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so md5 use_authok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

Any tips, suggestions are welcome.

Thanks

Pawel

Responses