My RH3 system-auth is as follows: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so session optional /lib/security/$ISA/pam_krb5.so My RH4 version is the same, with this difference: --- system-auth.RH3 2006-10-25 22:49:19.000000000 -0400 +++ system-auth.RH4 2006-10-25 22:42:05.000000000 -0400 @@ -8,6 +8,7 @@ auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow +account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so -----Original Message----- >From: George Holbert <gholbert at broadcom.com> >Sent: Mar 7, 2007 8:42 PM >To: MJD Shop Account <mjdshop at earthlink.net>, "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> >Subject: Re: ldap too many connections from clients? following ldap even for local accounts? > >> If a machine is disconnected from the network, a login attempt as >> 'root' user (with local passwd file entry and password) fails. >> ... >> I think I need to configure something such that the nsswitch.conf >> entry tells it to stop if it finds the 'files' entry and not proceed >> to the 'ldap' entry. I thought this would happen by default. > >At least for authentication, this behavior depends also on your PAM config. > >You need to make sure that the auth and account stacks will succeed for >local accounts (e.g., root) without asking pam_ldap. >What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? > > >MJD Shop Account wrote: >> I'm having some odd ldap issues with connection or lack thereof to >> ldap server when nsswitch.conf and pam.d/system-auth are configured to >> used FDS ldap server. >> >> I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update >> 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host >> names. I've noticed these issues: >> >> * If a machine is disconnected from the network, a login attempt >> as 'root' user (with local passwd file entry and password) >> fails. The system appears to accept the password, but sits for >> maybe a minute, then dumps you back to the login prompt. I've >> had to boot off rescue CD and shell in to remove 'ldap' from >> the /etc/nsswitch.conf file to get around this in some instances. >> >> My relevant /etc/ldap.conf entries are: >> passwd: files ldap >> shadow: files >> group: files ldap >> netgroup: files ldap >> >> * I noticed that a anhy randomly chosen client has a few >> connections to the ldap server that persist. The connections >> are tied to processes that also should have local entries only >> in the local /etc/passwd files. Here's an example: >> # netstat -a | grep ldap >> tcp 38 0 clienthostname:32771 serverhostname:ldap >> CLOSE_WAIT >> # fuser 32771/tcp >> here: 32771 >> 32771/tcp: 3729 >> # ps -ef | grep 3729 | grep -v grep >> ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp >> -p /var/run/ntpd.pid -g >> # >> >> * I notice that doing a "netstat -a" on the server that most >> clients are using takes a long time. It spits out a bunch, >> then slows down when reporting the entries that are ESTABLISHED >> ldap connections: >> tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED >> I see that some clients have very many connections, I would >> expect just one or two. Here's one client that had a whole >> bunch, most disappeared before I could capture this bash shell >> command output. This output is for jobs associated with ports >> connecting to ldap server: >> # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " >> -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | >> grep $j | grep -v grep; done; done >> xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv >> -daemon >> root 3138 3031 0 Feb20 ? 00:00:00 >> /usr/bin/gdm-binary bell-style none >> root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X >> :0 -auth /var/gdm/:0.Xauth vt7 >> gdm 3430 3138 0 18:32 ? 00:00:00 /usr/bin/gdmgreeter >> root 2477 2617 0 18:22 ? 00:00:01 sshd: root at pts/0 >> root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh >> >> I ran a similar command on a client computer where the user is >> running a lot of jobs, I got 53 lines of output. Basically >> every job is maintaining an ldap connection, I guess. >> >> * I think I need to configure something such that the >> nsswitch.conf entry tells it to stop if it finds the 'files' >> entry and not proceed to the 'ldap' entry. I thought this would >> happen by default. >> >> * I think the above problem is possibly leading to many more ldap >> connections than are necessary which in turn may be causing >> performance issues on the server, ALTHOUGH the cpu load and >> memory load does not appear inordinately heavy >> >> * I tried running nscd (for caching the info) once, it seemed to >> cause too many problems so I turned it off. I have tried >> something like implementing pam_ccache, I don't think it would >> help the too-many-connections, just the issue with no logins >> when off the net. >> >> * Here's my /etc/ldap.conf minus the usual comment lines, I'm >> doing anonymous binds. Maybe there's some keepalive flag that >> should be set or unset?: >> host server1 server2 >> base dc=example,dc=com >> ldap_version 3 >> scope sub >> bind_timelimit 10 >> pam_lookup_policy yes >> pam_password exop >> nss_base_passwd ou=People,dc=example,dc=com?one >> nss_base_group ou=Group,dc=example,dc=com?one >> nss_base_services ou=Services,dc=example,dc=com?one >> nss_base_aliases ou=Aliases,dc=example,dc=com?one >> nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /usr/share/ssl/certs/servercert.pem >> tls_ciphers TLSv1 >> pam_password md5 >> >> Any suggestions on what I might be doing wrong are greatly appreciated! >> >> -Marty >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >
