LDAP authentication problem with Local user auth when LDAP not available
Hi,
I have a problem with LDAP authentication on RHEL6.4. Using nslcd authenticating against Domino LDAP.
I have no problems with talking to LDAP and its authenticating users with no problems, issue appears when there is no available LDAP server to respond (i.ex: network interface down / not yet configured vm deployed from template).
I can not log in using console login either. There is a message flashing quickly (something about no authentication mechanism found or similar) and gets back to Login prompt:.
secure log just shows: pam_ldap: ldap_simple_bind Can't contact LDAP server.
I tried to google and all answers I got was referring to use: nss_initgroups_ignoreusers , or ALLLOCAL - which I have but I still can't log in as local user when LDAP is unreachable.
my /etc/nslcd.conf:
uri ldap://ldap-ah.internal.XX.XX.com/ ldap://ldap-lhc.internal.XX.XX.com/ ldap_version 3 base o=TPP binddn cn=bindpw bind_timelimit 30 timelimit 30 nss_initgroups_ignoreusers ALLLOCAL map passwd uid unixloginid map shadow uid unixloginid map group uniqueMember member uid nslcd gid ldap
/etc/pam_ldap.conf:
host ldap-ah.internal.XX.XX.com ldap-lhc.internal.XX.XX.com base o=TPP ldap_version 3 binddn cn=bindpw pam_filter objectclass=inetOrgPerson pam_login_attribute unixloginid pam_template_login_attribute unixloginid pam_password md5 pam_password_prohibit_message Please contact internal.support@XX.XX.com to change your password nss_map_attribute uid unixloginid
/etc/nsswitch.conf:
passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus
/etc/sysconfig/authconfig:
IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=yes CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USEDB=no FORCELEGACY=no USEFPRINTD=yes FORCESMARTCARD=no PASSWDALGORITHM=sha512 USELDAPAUTH=yes USEPASSWDQC=no IPAV2NONTP=no USELOCAUTHORIZE=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELDAP=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USESSSD=no USEHESIOD=no
/etc/pam.d/password-auth-ac:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_ldap.so use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so md5 use_authok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077
/etc/pam.d/system-auth-ac:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_ldap.so use_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so md5 use_authok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=077
Any tips, suggestions are welcome.
Thanks
Pawel
Responses