Hello Fabio, Please try the following command as root on your MyProxy CA server:
pamtester myproxy fabio authenticate You may need to first do 'yum install pamtester'. This will determine if the problem is due to myproxy-server or pam_ldap. If you experience slow authentication and timeouts with pamtester, the problem is with the pam_ldap configuration or the Active Directory server. -Jim On 2/18/14, 6:54 AM, "Fabio Moreira" <[email protected]<mailto:[email protected]>> wrote: Hi, I have built a MyPoxy CA v5.9 server with authentication integrated with an Active Directory Server through PAM/LDAP to made the authentication of our grid environment. Although the certificate is issued, this authentication has been very slow with many time out before issuing the certificate. For instance: Feb 18 09:26:39 globus myproxy-server[18245]: Connection from 10.0.0.1 Feb 18 09:26:39 globus myproxy-server[18245]: Authenticated client <anonymous> Feb 18 09:26:42 globus myproxy-server[18245]: Received GET request for username fabio Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed out Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed out Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed out Feb 18 09:27:22 globus myproxy-server[18245]: PAM authentication succeeded for fabio Feb 18 09:27:22 globus myproxy-server[18245]: Got a cert request for user "fabio", with pubkey hash "0x87696e4", and lifetime "43200" Feb 18 09:27:22 globus myproxy-server[18245]: Issued certificate for user "fabio", with DN "/O=Grid/OU=Globus/OU=simpleCA-globus.mydomain.com/OU=local/GN=fabio/CN=FABIO<http://simpleCA-globus.mydomain.com/OU=local/GN=fabio/CN=FABIO> MOREIRA DE SOUZA", lifetime "43200", and serial number "0x22" Feb 18 09:27:22 globus myproxy-server[18245]: Client <anonymous> disconnected The server is a CentOS 6.5 with PAM configured into the file /etc/pam_ldap.conf as following: host ldapcluster.mydomain.com<http://ldapcluster.mydomain.com> ldap_version 3 base dc=mydomain,dc=com binddn CN=admin,OU=service account,OU=IT,DC=mydomain,DC=com bindpw mypass pam_filter objectclass=User pam_login_attribute sAMAccountName ssl no and the openldap settings into the file /etc/openldap/ldap.conf: TLS_REQCERT allow TLS_CHECKPEER no The configurations from /etc/myproxy-server.config are: pam "sufficient" sasl "sufficient" certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem certificate_issuer_key_passphrase "mypass" certificate_serialfile /home/globus/.globus/simpleCA/serial certificate_out_dir /home/globus/.globus/simpleCA/newcerts certificate_mapfile /etc/grid-security/grid-mapfile cert_dir /etc/grid-security/certificates pam_id "myproxy" certificate_mapapp /usr/local/sbin/myproxy-mapapp-ldap and the file /etc/pam.d/myproxy: auth required pam_ldap.so account required pam_ldap.so I'd like to ask some help because sometimes this delay reaches more than 2 minutes. Best Regards, Fabio Souza
