Bug 77575
Summary: | Can't login if LDAP server cannot be contacted | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Brett Boren <bab> |
Component: | AfterStep-APPS | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED DUPLICATE | QA Contact: | Jay Turner <jturner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.0 | CC: | jim, mattdm, srevivo |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-21 18:50:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 86606 | ||
Bug Blocks: |
Description
Brett Boren
2002-11-09 16:16:50 UTC
This is the same bug as 86606. As I mentioned there, the problem is the naive reference to "sufficient" for both pam_ldap and pam_unix in /etc/pam.d/system-auth. This pam setup generates bogus errors when users log in with uids that exist in LDAP but not in /etc/passwd, and causes total system lockout (forcing reboot into single user mode and elimination of ldap authentication) if the LDAP server fails for any reason. So this is either a pam bug or a authconfig bug or a pam_ldap bug, but not an LDAP bug really... best to leave this classification, though, since it is stalling LDAP adoption at several sites (two that I know of personally, perhaps many more?). I have spotted quite a few related problems while browsing Bugzilla. For example in 72179, the LDAP server crashed because of the ldconfig bug in the SSL update, but that problem was magnified by the resulting inability to log in. I think 89592 is also related, and several more that I didn't note the numbers on. There is a patch submitted in 55193, which is a straight dup of thisbug , just as 86606 is. But I'm not sure that solution is optimal... I changed the line account required /lib/security/$ISA/pam_unix.so to: account sufficient /lib/security/$ISA/pam_unix.so in /etc/pam.d/system-auth instead and that seems to fix the problem for me. So far, at least - I tested this on Red Hat 9 a few minutes ago, but I haven't aggressively tested for any authentication problems this might cause in other applications. I actually had a student in one of my rh300 classes solve this problem. The reason local users are logged out when the ldap server cannot be contacted is because of this line in /etc/pam.d/system-auth, which is generated by authoconfig when the user chooses ldap as their authentication method (thus I've opened up a new bug #100504 under authconfig) account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so This line should read: account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so The addition of 'authinfo_unavail=ignore' to the line will cause pam_ldap.so to return an 'ignore' value instead of the default 'bad' when it cannot contact the server. *** This bug has been marked as a duplicate of 55193 *** Changed to 'CLOSED' state since 'RESOLVED' has been deprecated. |