Re: RH9 + LDAP: check pass; user unknow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Nimit,
many thanks for the explanation. It really helped.
Should I file a bug for authconfig in bugzilla?
It would be nice if authconfig can configure this.

Regards
Oliver

Nimit Gupta wrote:

Hello Oliver,

I think you are using ldap to store user account information, and due to that you see these error messages.
Oliver Schulze L. wrote:


Hi,
I'm using openldap in RH9 for my user DB.
I have configured pam with authconfig.

The problem I get is that for evey login success, I have a login failure
in /var/log/messages in every service(login, pop3, imap, etc).
For example, when I login to IMAP I get:
Jul 15 04:40:38 server imap(pam_unix)[9429]: check pass; user unknown
Jul 15 04:40:38 server imap(pam_unix)[9429]: authentication failure; logname= u
id=0 euid=0 tty= ruser= rhost=


Here as the user account information is not available in place where pam_unix module checks for it, so this error message is given by pam_unix module.


Jul 15 04:40:38 server imapd[9429]: Login user=user1 host=localhost [127.0.0
.1]
Jul 15 04:40:40 server imapd[9429]: Logout user=user1 host=localhost [127.0.
0.1]


Here its now authenticated by pam_ldap module successfully, as information about user accounts is stored in ldap(you must have configured it to do so or by mistake chosen it while installation).


I solved this problem by configuring /etc/pam.d/system-auth from this: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so

to this:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_ldap.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/$ISA/pam_deny.so


This solved the problem as now first it checks pam_ldap and since sufficient is specified it won't check any further. You can even remove pam_unix line if you use ldap to store the user account information.

Cheers,
Nimit


--
Oliver Schulze L.
<oliver@xxxxxxxxxxxxx>



_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux