Red Hat Bugzilla – Bug 746660
UsePAM prevents ssh logins when LDAP is used for authentication with TLS enabled
Last modified: 2011-10-17 11:11:14 EDT
Description of problem: I configure system to use LDAP for authentication: authconfig --useshadow --usemd5 --disablenis --enableldap --enableldapauth --ldapserver=ldaps://ldapslave --ldapserver=ldaps://ldap --ldapbasedn=dc=example,dc=com --disableldaptls --ldaploadcacert=http://intranet/CAcert.pem --disablesmartcard --disablefingerprint --disablekrb5 --disablehesiod --enablesssd --enablesssdauth --enablecachecreds --enablepamaccess --disablemkhomedir --update This works fine. Now I change --disableldaptls to --enableldaptls and I cannot ssh to the system as LDAP user any more. In /var/log/secure I can see this: fatal: Access denied for user xxx by PAM account configuration It kind of works again if I comment out this line in /etc/ssh/sshd_config: UsePAM yes I say it kind of works because I can ssh as LDAP user but I can see SELinux AVC alerts as shown here https://bugzilla.redhat.com/show_bug.cgi?id=692459#c58 Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
'UsePAM no' is unsupported and will not work correctly. Is there anything else related in /var/log/secure besides the message above? What is in your /etc/pam.d/password-auth file?
In /var/log/secure I get: Oct 17 16:14:05 larch sshd[28492]: pam_ldap: ldap_starttls_s: Operations error Oct 17 14:14:05 larch sshd[28493]: fatal: Access denied for user xxx by PAM account configuration cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so Not sure if that's the source of this problem but in /etc/pam_ldap.conf I had: uri ldaps://ldap ssl start_tls These lines were inserted by authconfig. It works after changing second line to: ssl no Actually, I'm not sure if I should be using --enableldaptls here at all since the LDAP URL is ldaps://ldap
Yes, you should not be using the --enableldaptls for the ldaps URLs.