LDAP Blocking Local User Logins

Installing, Configuring, Troubleshooting server daemons such as Web and Mail

LDAP Blocking Local User Logins

Postby tbeauchemin » 2007/08/10 17:55:32

I have installed CentOS 5.0 (i386) on one of our servers. I have also setup and configured OpenLDAP on that server and have proceeded to configure the server to authenticate via LDAP. I am only putting my user accounts in LDAP leaving all the system accounts in /etc/passwd and /etc/shadow. I also created an account that I can use to login to the server if LDAP has failed this is a user account that is in /etc/passwd and /etc/shadow that is not in LDAP.

What I am finding however during my testing is that everything works flawlessly when LDAP is running. If I shutdown LDAP everything breaks. I cannot login ad I cannot even restart LDAP as it tries to authenticate with the user LDAP.

I get the following in my log files:

Aug 9 12:58:36 lvs01 runuser: pam_unix(runuser:session): session opened for user ldap by root(uid=0)
Aug 9 12:58:36 lvs01 runuser: pam_unix(runuser:session): session closed for user ldap
Aug 9 12:58:36 lvs01 runuser: pam_unix(runuser:session): session opened for user ldap by root(uid=0)
Aug 9 12:58:36 lvs01 runuser: pam_unix(runuser:session): session closed for user ldap
Aug 9 12:58:44 lvs01 sshd[17352]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Aug 9 12:58:48 lvs01 sshd[17352]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Aug 9 12:58:56 lvs01 sshd[17352]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Aug 9 12:59:12 lvs01 sshd[17352]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Aug 9 12:59:44 lvs01 sshd[17352]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...

I enabled LDAP authentication via authconfig using the following command:
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --enablelocauthorize --kickstart

The LDAP server and Base DN are already setup in /etc/ldap.conf and /etc/openldap/ldap.conf.

I checked through /etc/nsswitch.conf and files is listed before each ldap entry.

Where could this hang up be. What I would like is for PAM and NSS to check the files first and then go to LDAP and that does not seem to be happening.

~Todd
tbeauchemin
 
Posts: 1
Joined: 2007/08/10 17:47:42

Re: LDAP Blocking Local User Logins

Postby mamos » 2007/08/19 08:48:26

Hello,

I'm experiencing something similar. I currently working to setup Ldap+samba. as you can see from /var/log/secure, when the ldap is down I'm not able to authenticate with local users (in passwd/shadow)

Aug 19 10:00:27 cluster01 sshd[19101]: nss_ldap: could not search LDAP server - Server is unavailable
Aug 19 10:00:27 cluster01 sshd[19101]: pam_unix(sshd:session): session opened for user mos by (uid=0)
Aug 19 10:00:27 cluster01 sshd[21011]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Aug 19 10:00:27 cluster01 sshd[21011]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server

I have enabled root login in sshd and I'm able to login as root but not as a user!!

Aug 19 10:01:21 cluster01 sshd[20981]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Aug 19 10:01:25 cluster01 sshd[21299]: Accepted password for root from 10.2.2.1 port 39012 ssh2
Aug 19 10:01:25 cluster01 sshd[21299]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 19 10:01:27 cluster01 sshd[21011]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server
Aug 19 10:01:27 cluster01 sshd[21011]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)...
Aug 19 10:02:12 cluster01 runuser: pam_unix(runuser:session): session opened for user ldap by root(uid=0)

the part from nsswitch.conf

passwd: files ldap
shadow: files ldap
group: files ldap

Authentication options enabled
[*] Use MD5 Passwords
[*] Use Shadow Passwords

[ ] Local authorization is sufficient has no impact during my test, so still no login possible when ldap is down

diff /data/backup/etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac
> account sufficient pam_localuser.so


diff /data/backup/etc/sysconfig/authconfig /etc/sysconfig/authconfig
9c8
< USELOCAUTHORIZE=no
> USELOCAUTHORIZE=yes


I'm investigating the impact of passwd: files ldap [NOTFOUND=return] and pam modifications
mamos
 
Posts: 2
Joined: 2007/08/19 08:07:36
Location: Bratislava, Slovakia

Re: LDAP Blocking Local User Logins

Postby mamos » 2007/08/19 09:13:10

hello

I solved my issue with

passwd: files [!NOTFOUND=return] ldap
shadow: files [!NOTFOUND=return] ldap
group: files [!NOTFOUND=return] ldap

in the /etc/nsswitch.conf

The above change will initially query libnss_files.so and if the query succeeded, it will stop and authenticate the local user. If it does not find the user on the local system, it will query the LDAP server.
mamos
 
Posts: 2
Joined: 2007/08/19 08:07:36
Location: Bratislava, Slovakia

Re: LDAP Blocking Local User Logins

Postby scotte » 2007/08/23 18:01:57

I have a RH5 Server and a few dual-boot CentOS 5/WinXP Pro systems on an isolated LAN. I'm trying to configure single sign-on from the Windows and Linux sides, as well as establish "roaming" home directories, so anyone can log into any machine and get their home directory.

I'm using the stock tools with RH5, with LDAP and Samba enabled. But I'm unable to get LDAP to be happy on the server, and thus I cannot log into the test account created from a workstation.

The workstations do NOT have local accounts - I want them to authenticate against the server.

How have people done this?

Firewalls and SELinux are disabled.

Thanks.

Scott
scotte
 
Posts: 2
Joined: 2007/04/09 01:23:35

Re: LDAP Blocking Local User Logins

Postby zlonew » 2008/04/21 09:57:20

mamos wrote:
I solved my issue with

passwd: files [!NOTFOUND=return] ldap
shadow: files [!NOTFOUND=return] ldap
group: files [!NOTFOUND=return] ldap

in the /etc/nsswitch.conf

The above change will initially query libnss_files.so and if the query succeeded, it will stop and authenticate the local user. If it does not find the user on the local system, it will query the LDAP server.

Thank you mamos for your suggestion: I hit the same problem after updating two CentOS 4.5 systems to the 4.6 version.

If the single signon LDAP server on the first system was unreachable, I was unable to login to any of the two, even as root. The standard setup created by authconfig did not work anymore - I think that the 'files ldap' directive in the /etc/nsswitch.conf file is not followed anymore, or it is cinsidered as having a slight different meaning from "login using the local database, and if and only if the user is not there try using LDAP".

I wonder if this change of behaviour stems from a code and/or configuration bug of any component involved, and how this CentOS 4.6 and 5.x aspect can be made to work as 4.5 worked, without having to edit /etc/nsswitch.conf that way...

Thanks again
zlonew
 
Posts: 8
Joined: 2006/11/02 13:31:32
Location: Roma, Italy

Re: LDAP Blocking Local User Logins

Postby zlonew » 2008/04/23 15:31:56

Spoke too early, unfortunately this patch was not enough to allow cron tasks to run succesfully.

I un-patched /etc/nsswitch.conf file and modified /etc/ldap.conf bind_policy parameter:
bind_policy soft

After the username and password prompt I have to wait some seconds but the system lets me in, let's see how it goes with the next backup job, scheduled at midnight.
zlonew
 
Posts: 8
Joined: 2006/11/02 13:31:32
Location: Roma, Italy

Re: LDAP Blocking Local User Logins

Postby xnomad » 2009/01/07 05:05:47

Hi guys,

I was experiencing the same problem with 5.0 machines and found that enabling nscd service the only solution.

editing the /etc/nsswitch.conf file, like demonstrated above, didn't work for me. In fact it just locked me out regardless of LDAP being up or down.

Now when the LDAP server is down the local logins work as they are cached. It's a sloppy work around but it helps if LDAP goes down and I am out of the office and need to login remotely. Problem is deciding the cache limit and the need to login frequently to keep the cache alive:

nscd explained in link below:

http://blogs.techrepublic.com.com/opensource/?p=127

Cheers,
xnomad
 
Posts: 5
Joined: 2008/07/02 00:11:10

LDAP Blocking Local User Logins

Postby theorist » 2009/10/13 17:08:38

Sorry to resurrect an old thread but the posted the fix

Code: Select all
passwd: files [!NOTFOUND=return] ldap
shadow: files [!NOTFOUND=return] ldap
group: files [!NOTFOUND=return] ldap

in /etc/nsswitch.conf is NOT the correct resolution to this problem. If you do this you will be unable to use the LDAP server to get secondary group information. You will not notice this unless you use secondary groups. Running the command "id" for a user will only reveal the primary group with the above setup.

The reason that you are unable to log on as a local user if the LDAP server is down, is that the client is querying the LDAP server for secondary group information (even though it has found the user in the local password file.)

To fix the problem you need to edit /etc/ldap.conf and add all the local users to the
Code: Select all
nss_initgroups_ignoreusers

so that the client does not try and find supplemental/secondary group info from the LDAP server.
theorist
 
Posts: 121
Joined: 2005/05/19 15:09:45


Return to CentOS 5 - Server Support

Who is online

Users browsing this forum: No registered users and 1 guest