ldap too many connections from clients? following ldap even for local accounts?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My RH3 system-auth is as follows:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
#account     required      /lib/security/$ISA/pam_deny.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_krb5.so


My RH4 version   is the same, with this difference:
--- system-auth.RH3     2006-10-25 22:49:19.000000000 -0400
+++ system-auth.RH4     2006-10-25 22:42:05.000000000 -0400
@@ -8,6 +8,7 @@
 auth        required      /lib/security/$ISA/pam_deny.so
 
 account     required      /lib/security/$ISA/pam_unix.so broken_shadow
+account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
 account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
 #account     required      /lib/security/$ISA/pam_deny.so


-----Original Message-----
>From: George Holbert <gholbert at broadcom.com>
>Sent: Mar 7, 2007 8:42 PM
>To: MJD Shop Account <mjdshop at earthlink.net>, "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com>
>Subject: Re: ldap too many connections from clients? following ldap even for local accounts?
>
>> If a machine is disconnected from the network, a login attempt as 
>> 'root' user (with local passwd file entry and password) fails.
>> ...
>> I think I need to configure something such that the nsswitch.conf 
>> entry tells it to stop if it finds the 'files' entry and not proceed 
>> to the 'ldap' entry.  I thought this would happen by default.
>
>At least for authentication, this behavior depends also on your PAM config.
>
>You need to make sure that the auth and account stacks will succeed for 
>local accounts (e.g., root) without asking pam_ldap.
>What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients?
>
>
>MJD Shop Account wrote:
>>  I'm having some odd ldap issues with connection or lack thereof to 
>> ldap server when nsswitch.conf and pam.d/system-auth are configured to 
>> used FDS ldap server.
>>
>> I'm running both RHEL3 and RHEL4 clients.  My servers are RHEL4 update 
>> 4 and FDS 1.0.4.  My /etc/ldap.conf is configured with two host 
>> names.  I've noticed these issues:
>>
>>     * If a machine is disconnected from the network, a login attempt
>>       as 'root' user (with local passwd file entry and password)
>>       fails.  The system appears to accept the password, but sits for
>>       maybe a minute, then dumps you back to the login prompt.  I've
>>       had to  boot off rescue CD and shell in to remove 'ldap' from
>>       the /etc/nsswitch.conf file to get around this in some instances.
>>
>>       My relevant /etc/ldap.conf entries are:
>>       passwd:     files ldap
>>       shadow:     files
>>       group:      files ldap
>>       netgroup:   files ldap
>>
>>     * I noticed that a anhy randomly chosen client has a few
>>       connections to the ldap server that persist.  The connections
>>       are tied to processes that also should have local entries only
>>       in the local /etc/passwd files.  Here's an example:
>>       # netstat -a | grep ldap
>>       tcp       38      0 clienthostname:32771 serverhostname:ldap
>>       CLOSE_WAIT 
>>       # fuser 32771/tcp
>>       here: 32771
>>       32771/tcp:            3729
>>       # ps -ef | grep 3729 | grep -v grep
>>       ntp       3729     1  0 Feb23 ?        00:00:00 ntpd -u ntp:ntp
>>       -p /var/run/ntpd.pid -g
>>       #
>>
>>     * I notice that doing a "netstat -a" on the server that most
>>       clients are using takes a long time.  It spits out a  bunch,
>>       then slows down when reporting the entries that are ESTABLISHED
>>       ldap connections:
>>       tcp        0      0 ldapserver:ldap ldapclient:35908 ESTABLISHED
>>       I see that some clients have very many connections, I would
>>       expect just one or two.  Here's one client that had a whole
>>       bunch, most disappeared before I could capture this bash shell
>>       command output.  This output is for jobs associated with ports
>>       connecting to ldap server:
>>       # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" "
>>       -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef |
>>       grep $j | grep -v grep; done; done
>>       xfs       2726     1  0 Feb20 ?        00:00:00 xfs -droppriv
>>       -daemon
>>       root      3138  3031  0 Feb20 ?        00:00:00
>>       /usr/bin/gdm-binary bell-style none
>>       root      3418  3138  0 18:32 ?        00:00:02 /usr/X11R6/bin/X
>>       :0 -auth /var/gdm/:0.Xauth vt7
>>       gdm       3430  3138  0 18:32 ?        00:00:00 /usr/bin/gdmgreeter
>>       root      2477  2617  0 18:22 ?        00:00:01 sshd: root at pts/0
>>       root      2481  2477  0 18:22 pts/0    00:00:00 -tcsh
>>
>>       I ran a similar command on a client computer where the user is
>>       running a lot of jobs, I got 53 lines of output.  Basically
>>       every job is maintaining an ldap connection, I guess.
>>
>>     * I think I need to configure something such that the
>>       nsswitch.conf entry tells it to stop if it finds the 'files'
>>       entry and not proceed to the 'ldap' entry.  I thought this would
>>       happen by default.
>>
>>     * I think the above problem is possibly leading to many more ldap
>>       connections than are necessary which in turn may be causing
>>       performance issues on the server, ALTHOUGH the cpu load and
>>       memory load does not appear inordinately heavy
>>
>>     * I tried running nscd (for caching the info) once, it seemed to
>>       cause too many problems so I turned it off.  I have tried
>>       something like implementing pam_ccache, I don't think it would
>>       help the too-many-connections, just the issue with no logins
>>       when off the net.
>>
>>     * Here's my /etc/ldap.conf minus the usual comment lines, I'm
>>       doing anonymous binds.  Maybe there's some  keepalive flag that
>>       should be set or unset?:
>>       host server1 server2
>>       base dc=example,dc=com
>>       ldap_version 3
>>       scope sub
>>       bind_timelimit 10
>>       pam_lookup_policy yes
>>       pam_password exop
>>       nss_base_passwd         ou=People,dc=example,dc=com?one
>>       nss_base_group          ou=Group,dc=example,dc=com?one
>>       nss_base_services       ou=Services,dc=example,dc=com?one
>>       nss_base_aliases        ou=Aliases,dc=example,dc=com?one
>>       nss_base_netgroup       ou=Netgroup,dc=example,dc=com?one
>>       ssl start_tls
>>       tls_checkpeer yes
>>       tls_cacertfile /usr/share/ssl/certs/servercert.pem
>>       tls_ciphers TLSv1
>>       pam_password md5
>>
>> Any suggestions on what I might be doing  wrong are greatly appreciated!
>>
>> -Marty
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
>
>




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux