Re: When LDAP Fails
We use YaST to configure everything and it made no difference. We also eliminated PAM as the problem as well. Additional testing results are as follows: If we shut down the remote LDAP server everything is fine, nss will get ?not available? and will continue with the local files. This allows us to logon to the Linux Console as root since root is a local Linux account. However, if we lose the network connection, (simulated by shutting down the network interface), nss will hang and the logon will timeout, no matter how high the timeout value is increased. Another words, not root or any local account authentication can occurred when specifying the following in nsswitch.conf when the network is down. passwd: ldap files shadow: ldap files group: ldap files We believe the problem lies with is nss_ldap. We are running nss_ldap-262-11.32.31.1. The problem seems to be that nss is not recognizing the timeout parameter in /etc/ldap.conf. If the network connection is not there, then it just keeps trying instead of timing out and looking at the local files. If the network is there, it immediately recognizes that LDAP is not running and moves on. Googling this issue reveals many hits identical to this. Bug 176209 (https://bugzilla.redhat.com/show_bug.cgi?id=176209) seems to address it. There are others that describe various symptoms of this same problem. How can I tell if this is a known issue with SuSE, Novell, or Attachmate? Is anyone else using LDAP and experiencing this problem? Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 01/26/2012 04:52 PM Subject:Re: When LDAP Fails Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? I would be tempted to use YaST to configure all this, and compare the results with what has already been done. Perhaps the Redbook missed something subtle, or things changed somewhat between when it was published and SLES11 SP1, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 2/2/2012 at 04:34 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: How can I tell if this is a known issue with SuSE, Novell, or Attachmate? Is anyone else using LDAP and experiencing this problem? By opening a service request with your support provider. Share your research with them and see what they can find out. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
We faced something similar with Redhat, albeit 3+ years ago, and I ended
up implementing the following as part of our build procedure. It might
be worthwhile to at least read the kbase article and see if this sounds
similar:
===
# Add a stanza to /etc/pam.d/system-auth
# to fix bug about logging in when networking is
# down and the ldap servers can't be contacted.
#
# This should be inserted as the second account ...
# stanza
#
# See the following document for details:
# http://kbase.redhat.com/faq/docs/DOC-8322
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig
perl -n -e 'print;
if (!$didit m/^account/) {
$didit=1; print account sufficient
/lib/security/\$ISA/pam_localuser.so\n
}' /etc/pam.d/system-auth.orig /etc/pam.d/system-auth
Sorry for the line wrap, and gGood luck!
-- Pat
On 02/02/2012 03:34 PM, Peter E. Abresch Jr. - at Pepco wrote:
We use YaST to configure everything and it made no difference. We also
eliminated PAM as the problem as well. Additional testing results are as
follows:
If we shut down the remote LDAP server everything is fine, nss will get
?not available? and will continue with the local files. This allows us to
logon to the Linux Console as root since root is a local Linux account.
However, if we lose the network connection, (simulated by shutting down
the network interface), nss will hang and the logon will timeout, no
matter how high the timeout value is increased. Another words, not root or
any local account authentication can occurred when specifying the
following in nsswitch.conf when the network is down.
passwd: ldap files
shadow: ldap files
group: ldap files
We believe the problem lies with is nss_ldap. We are running
nss_ldap-262-11.32.31.1. The problem seems to be that nss is not
recognizing the timeout parameter in /etc/ldap.conf. If the network
connection is not there, then it just keeps trying instead of timing out
and looking at the local files. If the network is there, it immediately
recognizes that LDAP is not running and moves on. Googling this issue
reveals many hits identical to this.
Bug 176209 (https://bugzilla.redhat.com/show_bug.cgi?id=176209) seems to
address it. There are others that describe various symptoms of this same
problem.
How can I tell if this is a known issue with SuSE, Novell, or Attachmate?
Is anyone else using LDAP and experiencing this problem?
Peter
From: Mark Post mp...@novell.com
To: LINUX-390@vm.marist.edu
Date: 01/26/2012 04:52 PM
Subject:Re: When LDAP Fails
Sent by:Linux on 390 Port LINUX-390@vm.marist.edu
On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco
peabre...@pepco.com wrote:
II configured /etc/ldap.conf manually following the recommendations
outline in an IBM Rebook about RACF LDAP server.
I took the defaults with the following exceptions:
host conprod
base o=PHI
timelimit 30
bind_timelimit 30
bind_policy soft
pam_lookup_policy yes
pam_check_host_attr yes
pam_password racf
nss_initgroups_ignoreusers root,postfix
nss_schema rfc2307bis
nss_map_attribute uniqueMember member
Any ideas?
I would be tempted to use YaST to configure all this, and compare the
results with what has already been done. Perhaps the Redbook missed
something subtle, or things changed somewhat between when it was published
and SLES11 SP1, etc.
Mark Post
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
This Email message and any attachment may contain information that is
proprietary, legally privileged, confidential and/or subject to copyright
belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is
intended solely for the use of the person(s) to which it is addressed. If
you are not an intended recipient, or the employee or agent responsible for
delivery of this Email to the intended recipient(s), you are hereby notified
that any dissemination, distribution or copying of this Email is strictly
prohibited. If you have received this message in error, please immediately
notify the sender and permanently delete this Email and any copies. PHI
policies expressly prohibit employees from making defamatory or offensive
statements and infringing any copyright or any other legal right by Email
communication. PHI will not accept any liability in respect of such
communications.
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http
When LDAP Fails
We are running SLES11-SP1 at latest maintenance levels. We use RACF LDAP and authenticate our Linux users to z/OS RACF. Everything works fine with no problems. Our root user is not defined in LDAP but to the local Linux. We have the following /etc/pam.d/login: #%PAM-1.0 auth required pam_securetty.so auth required pam_nologin.so auth sufficient pam_ldap.so auth requisite pam_unix2.so auth required pam_env.so auth required pam_mail.so account sufficient pam_ldap.so account required pam_unix2.so password sufficient pam_ldap.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_loginuid.so session required pam_limits.so session required pam_unix2.so session optional pam_umask.so session required pam_lastlog.sonowtmp session optional pam_mail.so standard session optional pam_ck_connector.so It all works, for the most part. When we login with root, or any other ID not defined to LDAP, it will authenticate to the local Linux. However, here is the crux: When the RACF LDAP server on z/OS is down or if there is a network issue, the process hangs. Instead of failing at: auth sufficient pam_ldap.so and moving on to auth requisite pam_unix2.so auth required pam_env.so auth required pam_mail.so it just hangs and the login times out and fails: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Peter This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 1/26/2012 at 01:36 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Did you use YaST to set up the authenticate via LDAP configuration, or did you do it manually? Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? Peter From: Mark Post mp...@novell.com To: LINUX-390@vm.marist.edu Date: 01/26/2012 02:35 PM Subject:Re: When LDAP Fails Sent by:Linux on 390 Port LINUX-390@vm.marist.edu On 1/26/2012 at 01:36 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: In other words we have no access to the system to do anything. I do not know if this a pam issue, an LDAP issue or an nss issue. I have been unsuccessful in resolving this and am open to suggestions. Thanks in advance. Did you use YaST to set up the authenticate via LDAP configuration, or did you do it manually? Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates (PHI). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: When LDAP Fails
On 1/26/2012 at 04:35 PM, Peter E. Abresch Jr. - at Pepco peabre...@pepco.com wrote: II configured /etc/ldap.conf manually following the recommendations outline in an IBM Rebook about RACF LDAP server. I took the defaults with the following exceptions: host conprod base o=PHI timelimit 30 bind_timelimit 30 bind_policy soft pam_lookup_policy yes pam_check_host_attr yes pam_password racf nss_initgroups_ignoreusers root,postfix nss_schema rfc2307bis nss_map_attribute uniqueMember member Any ideas? I would be tempted to use YaST to configure all this, and compare the results with what has already been done. Perhaps the Redbook missed something subtle, or things changed somewhat between when it was published and SLES11 SP1, etc. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
