1401632 – nslcd fails to restarted intermittently

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1401632 - nslcd fails to restarted intermittently

Summary: nslcd fails to restarted intermittently

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss-pam-ldapd
Sub Component:
Version:	6.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	BaseOS QE Security Team
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-05 18:37 UTC by Roshni
Modified:	2017-11-15 22:13 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	nslcd fails to resolve user or group identities when it is started before the network connection is fully up When nslcd, the local LDAP name service daemon, is started before the network connection is fully up, the daemon fails to connect to an LDAP server. As a consequence, resolving user or group identities does not work. To work around this problem, start nslcd after the network connection is up.
Clone Of:
Environment:
Last Closed:	2017-11-15 22:13:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Roshni 2016-12-05 18:37:21 UTC

Description of problem:
Smartcard authentication fails inconsistently

Version-Release number of selected component (if applicable):
coolkey-1.1.0-38.el6.x86_64
ccid-1.3.9-11.el6.x86_64
pcsc-lite-1.5.2-16.el6.x86_64
gdm-2.30.4-67.el6.x86_64
authconfig-6.1.12-23.el6.x86_64

How reproducible:
inconsistent

Steps to Reproduce:
1. Not sure what is triggering this issue
2.
3.

Actual results:
gdm login using smartcard fails

Expected results:
smartcard authentication should be successful

Additional info:
/var/log/messages

Dec  5 13:31:33 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:33 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:34 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:34 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:35 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:35 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:36 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:36 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:37 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:37 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:38 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:38 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:39 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:39 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:40 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:40 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:40 dhcp129-152 dbus: [system] Rejected send message, 1 matched rules; type="method_call", sender=":1.77" (uid=42 pid=4363 comm="gnome-power-manager) interface="org.freedesktop.Hal.Device.LaptopPanel" member="SetBrightness" error name="(unset)" requested_reply=0 destination=":1.5" (uid=0 pid=2940 comm="hald))
Dec  5 13:31:41 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:41 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found, sleeping 1 seconds
Dec  5 13:31:42 dhcp129-152 nslcd[2850]: [5e7fd0] failed to bind to LDAP server ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389: Can't contact LDAP server: Connection refused
Dec  5 13:31:42 dhcp129-152 nslcd[2850]: [5e7fd0] no available LDAP server found


/var/log/secure
[root@dhcp129-152 ~]# tail -f /var/log/secure
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: renewable lifetime: 10800s (0d,3h,0m,0s)
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: banner: Kerberos 5
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: ccache dir: /tmp
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: keytab: FILE:/etc/krb5.keytab
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: token strategy: v4,524,2b,rxk5
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: checking for externally-obtained v5 credentials
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: KRB5CCNAME is not set, none found
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: no v5 creds for user 'root', skipping session setup
Dec  5 13:31:34 dhcp129-152 sshd[4334]: pam_krb5[4334]: pam_sm_open_session returning 0 (Success)
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4391]: krb5_kuserok() says 0
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4391]: removing ccache 'FILE:/tmp/krb5cc_505_zdTy1v'
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4391]: destroyed ccache 'FILE:/tmp/krb5cc_505_zdTy1v'
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: account checks fail for 'kdcuser5': user disallowed by .k5login file for 'kdcuser5'
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: authentication fails for 'kdcuser5' (kdcuser5): Permission denied (Success)
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: pam_authenticate returning 6 (Permission denied)
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: debug
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flags: forwardable
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no ignore_afs
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no null_afs
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: cred_session
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: user_check
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no krb4_convert
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: krb4_convert_524
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: krb4_use_as_req
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: will try previously set password first
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: will ask for a password if that fails
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: will let libkrb5 ask questions
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no use_shmem
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no external
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: no multiple_ccaches
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: validate
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: flag: warn
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: ticket lifetime: 3600s (0d,1h,0m,0s)
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: renewable lifetime: 10800s (0d,3h,0m,0s)
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: banner: Kerberos 5
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: ccache dir: /tmp
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: keytab: FILE:/etc/krb5.keytab
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: token strategy: v4,524,2b,rxk5
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: account management succeeds for 'kdcuser5'
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser5' for internal use
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser5" to "FILE:/tmp/krb5cc_505_II1LVl" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser5"
Dec  5 13:31:42 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: created v5 ccache 'FILE:/tmp/krb5cc_505_zjfvrn' for 'kdcuser5'
Dec  5 13:31:51 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: krb5_kuserok() says 0
Dec  5 13:31:51 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: removing ccache 'FILE:/tmp/krb5cc_505_zjfvrn'
Dec  5 13:31:51 dhcp129-152 pam: gdm-smartcard: pam_krb5[4414]: destroyed ccache 'FILE:/tmp/krb5cc_505_zjfvrn'
Dec  5 13:31:51 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: account checks fail for 'kdcuser5': user disallowed by .k5login file for 'kdcuser5'
Dec  5 13:31:51 dhcp129-152 pam: gdm-smartcard: pam_krb5[4379]: pam_acct_mgmt returning 6 (Permission denied)

Comment 7 Bob Relyea 2016-12-12 18:23:56 UTC

Roshni, what does your pam_pkcs11 file look like. It looks like you are getting a lot of ldap failures, which may indicate some issue connecting to ldap rather than a smart card issue.

bob

Comment 8 Roshni 2016-12-12 18:59:05 UTC

[root@dhcp129-152 ~]# cat /etc/pam_pkcs11/pam_pkcs11.conf 
#
# Configuration file for pam_pkcs11 module
#
# Version 0.4
# Author: Juan Antonio Martinez <jonsito>
#
pam_pkcs11 {
  # Allow empty passwords
  nullok = true;

  # Enable debugging support.
  debug = false; 

  # If the smart card is inserted, only use it
  card_only = true;

  # Do not prompt the user for the passwords but take them from the
  # PAM_ items instead.
  use_first_pass = false;

  # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
  # is unset.
  try_first_pass = false;

  # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
  # previously set (intended for stacking password modules only).
  use_authtok = false;

  # Filename of the PKCS #11 module. The default value is "default"
  use_pkcs11_module = coolkey;

  screen_savers = gnome-screensaver,xscreensaver,kscreensaver

  pkcs11_module coolkey {
    module = libcoolkeypk11.so;
    description = "Cool Key"
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;
    nss_dir = /etc/pki/nssdb;
  
    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    crl_dir = /etc/pam_pkcs11/crls;

    # Sets the Certificate verification policy.
    # "none"        Performs no verification
    # "ca"          Does CA check
    # "crl_online"  Downloads the CRL form the location given by the
    #               CRL distribution point extension of the certificate
    # "crl_offline" Uses the locally stored CRLs
    # "crl_auto"    Is a combination of online and offline; it first
    #               tries to download the CRL from a possibly given CRL
    #               distribution point and if this fails, uses the local
    #               CRLs
    # "ocsp_on"     Turn on OCSP.
    # "signature"   Does also a signature check to ensure that private
    #               and public key matches
    # You can use a combination of ca,crl, and signature flags, or just
    # use "none".
    cert_policy = ca, signature;
  }

  pkcs11_module opensc {
    module = opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;
  
    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    crl_dir = /etc/pam_pkcs11/crls;
  
    # Sets the Certificate Policy, (see above)
    cert_policy=ca, signature;
  }

  # Default pkcs11 module
  pkcs11_module default {
    module = /usr/$LIB/pam_pkcs11/pkcs11_module.so;
    description = "Default pkcs#11 module";
    slot_num = 0;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    cert_policy=ca, signature;
  }

  # Which mappers ( Cert to login ) to use?
  # you can use several mappers:
  #
  # subject - Cert Subject to login file based mapper
  # pwent   - CN to getpwent() login or gecos fields mapper
  # ldap    - LDAP mapper
  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
  # mail    - Compare email fields from certificate
  # ms      - Use Microsoft Universal Principal Name extension
  # krb     - Compare againts Kerberos Principal Name
  # cn      - Compare Common Name (CN)
  # uid     - Compare Unique Identifier
  # digest  - Certificate digest to login (mapfile based) mapper
  # generic - User defined certificate contents mapped
  # null    - blind access/deny mapper
  #
  # You can select a comma-separated mapper list.
  # If used null mapper should be the last in the list :-)
  # Also you should select at least one mapper, otherwise
  # certificate will not match :-)
  use_mappers = cn, uid, pwent, null;

  # When no absolute path or module info is provided, use this
  # value as module search path
  # TODO:
  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
  mapper_search_path = /usr/$LIB/pam_pkcs11;

  # 
  # Generic certificate contents mapper
  mapper generic {
        debug = true;
        module = /usr/$LIB/pam_pkcs11/generic_mapper.so;
        # ignore letter case on match/compare
        ignorecase = false;
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
        cert_item  = cn;
        # Define mapfile if needed, else select "none"
        mapfile = file:///etc/pam_pkcs11/generic_mapping
        # Decide if use getpwent() to map login
        use_getpwent = false;
  }

  # Certificate Subject to login based mapper
  # provided file stores one or more "Subject -> login" lines
  mapper subject {
	debug = false;
	# module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
	module = internal;
	ignorecase = false;
	mapfile = file:///etc/pam_pkcs11/subject_mapping;
  }

  # Search public keys from $HOME/.ssh/authorized_keys to match users
  mapper openssh {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/openssh_mapper.so;
  }

  # Search certificates from $HOME/.eid/authorized_certificates to match users
  mapper opensc {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/opensc_mapper.so;
  }

  # Certificate Common Name ( CN ) to getpwent() mapper
  mapper pwent {
	debug = false;
	ignorecase = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
  }

  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
  mapper null {
	debug = false;
	# module = /usr/$LIB/pam_pkcs11/null_mapper.so;
	module = internal ;
	# select behavior: always match, or always fail
	default_match = false;
	# on match, select returned user
        default_user = nobody ;
  }

  # Directory ( ldap style ) mapper
  mapper ldap {
	debug = false;
	module = /usr/$LIB/pam_pkcs11/ldap_mapper.so;
	# where base directory resides
	basedir = /etc/pam_pkcs11/mapdir;
	# hostname of ldap server
        ldaphost = "localhost";
	# Port on ldap server to connect
        ldapport = 389;
        # Scope of search: 0 = x, 1 = y, 2 = z
        scope = 2;
	# DN to bind with. Must have read-access for user entries under "base"
        binddn = "cn=pam,o=example,c=com";
	# Password for above DN
        passwd = "test";
	# Searchbase for user entries
        base = "ou=People,o=example,c=com";
	# Attribute of user entry which contains the certificate
        attribute = "userCertificate";
	# Searchfilter for user entry. Must only let pass user entry for the login user.
        filter = "(&(objectClass=posixAccount)(uid=%s))"
  }

  # Assume common name (CN) to be the login
  mapper cn {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
	ignorecase = true;
	mapfile = file:///etc/pam_pkcs11/cn_map;
  }

  # mail -  Compare email field from certificate
  mapper mail {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
	# Declare mapfile or
	# leave empty "" or "none" to use no map 
	mapfile = file:///etc/pam_pkcs11/mail_mapping;
	# Some certs store email in uppercase. take care on this
	ignorecase = true;
	# Also check that host matches mx domain
	# when using mapfile this feature is ignored
	ignoredomain = false;
  }

  # ms - Use Microsoft Universal Principal Name extension
  # UPN is in format login@ADS_Domain. No map is needed, just
  # check domain name.
  mapper ms {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
	ignorecase = false;
	ignoredomain = false;
	domain = "domain.com";
  }

  # krb  - Compare againts Kerberos Principal Name
  mapper krb {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
	ignorecase = false;
	mapfile = "none";
  }

  # uid  - Maps Subject Unique Identifier field (if exist) to login
  mapper uid {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
	ignorecase = false;
	mapfile = "none";
  }

  # digest - elaborate certificate digest and map it into a file
  mapper digest {
	debug = false;
	module = internal;
	# module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
	# algorithm used to evaluate certificate digest
        # Select one of:
	# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
	algorithm = "sha1";
	mapfile = file:///etc/pam_pkcs11/digest_mapping;
	# mapfile = "none";
  }

}

Comment 9 Bob Relyea 2016-12-12 19:08:42 UTC

OK, thanks, I don't know why you are getting ldap errors, but you are using the cn mapper, so ldap can't be the issue.

Comment 10 Bob Relyea 2016-12-13 02:17:33 UTC

I'm not able to get this to fail with my coolkey, which cards seem to work intermittently?

Do you know if you are using cn, id or pwent? The latter could be having ldap issues.

What is your cn_map?

bob

Comment 11 Roshni 2016-12-13 20:25:54 UTC

The issue is nslcd fails to start intermittently (not sure what is triggering it)

The workaround to get the smartcard authentication to work is to either add a local user with the same name or manually restart nslcd service. But this workaround will not be applicable if "Smartcard only" option is enabled in authconfig, which will then not allow to login as root.

Comment 12 Arthur de Jong 2016-12-13 21:22:00 UTC

The "Connection refused" errors from nslcd indicate a simple connection error to the LDAP server (nslcd will start and should keep working). The nslcd daemon has a retry and timeout mechanism to not constantly retry connecting too often. If networking is unavailable before nslcd is started it can slow down booting a bit and nslcd may remember for some time that the LDAP server is unavailable.

Newer versions of nss-pam-ldapd (particularly the 0.9 series) have a nicer retry mechanism and allow receiving SIGUSR1 to immediately retry connecting to the LDAP server.

I have seen some issues in starting up nslcd related to TLS (the SSL library does an exit of the application for some strange reason).

Comment 13 Jakub Hrozek 2016-12-14 08:36:38 UTC

As Arthur says, please check the connectivity to ldap://auto-hv-02-guest02.idmqe.lab.eng.bos.redhat.com:8389 with e.g. ldapsearch.

Note that non-standard port, perhaps there's a typo?

Comment 14 Roshni 2016-12-14 14:12:28 UTC

ldapsearch from the client is successful. I am seeing the authentication issue now but noticed that nslcd is up and running. Also the I have added the port 8389 to the ldap selinux context using the command

semanage port -a -t ldap_port_t -p tcp 8389.

Smartcard authentication to the ldap user was successful at the first attempt after setting up the environment but after sometime I start seeing this issue.

Comment 15 Jakub Hrozek 2016-12-14 21:18:11 UTC

If you're seeing the authentication issue now and nslcd is throwing connection refused..are you sure you can connect to that server and search it?

If yes and the issue is reproducable, I'd like to take a peek at the environment if possible..

Comment 16 Roshni 2016-12-19 14:59:21 UTC

The following was Sumit's finding

"There are a lot of 'no available LDAP
server found' messages from nslcd. I think the reason is the startup
order. According to /var/log/messages nslcd was started before
NetworkManager got the namesservers via DHCP and wrote them to
/etc/resolv.conf. /etc/resolv.conf is only read at startup, so nslcd is
not aware of the nameserver and hence cannot resolve the LDAP server's
hostname.

The boot order is ok but nslcd is started too fast or DHCP is too slow.
So maybe just restart nslcd when the system is up to make sure the ldap
server name can be resolved or add it to /etc/hosts."

After adding the ldap server's hostname and ip address to /etc/hosts I was not seeing this issue anymore.

Comment 18 Jakub Hrozek 2016-12-20 11:21:00 UTC

(In reply to Roshni from comment #16)
> The following was Sumit's finding
> 
> "There are a lot of 'no available LDAP
> server found' messages from nslcd. I think the reason is the startup
> order. According to /var/log/messages nslcd was started before
> NetworkManager got the namesservers via DHCP and wrote them to
> /etc/resolv.conf. /etc/resolv.conf is only read at startup, so nslcd is
> not aware of the nameserver and hence cannot resolve the LDAP server's
> hostname.
> 
> The boot order is ok but nslcd is started too fast or DHCP is too slow.
> So maybe just restart nslcd when the system is up to make sure the ldap
> server name can be resolved or add it to /etc/hosts."
> 
> After adding the ldap server's hostname and ip address to /etc/hosts I was
> not seeing this issue anymore.

Then I don't think this issue should be marked as a testblocker, can you remove that flag?

Note You need to log in before you can comment on or make changes to this bug.