Hi Jim, Thanks for the tip. I made the test and I still facing slow authentication. I intend to change the way I'm doing the authentication. Since I just need to check the user and his password, I will try to use PAM with Kerberos through pam_krb5. Later I'll send the results.
Best Regards. On Tue, Feb 18, 2014 at 11:12 AM, Basney, Jim <[email protected]> wrote: > Hello Fabio, > > Please try the following command as root on your MyProxy CA server: > > pamtester myproxy fabio authenticate > > You may need to first do 'yum install pamtester'. > > This will determine if the problem is due to myproxy-server or pam_ldap. > If you experience slow authentication and timeouts with pamtester, the > problem is with the pam_ldap configuration or the Active Directory server. > > -Jim > > On 2/18/14, 6:54 AM, "Fabio Moreira" <[email protected]> wrote: > > Hi, > > I have built a MyPoxy CA v5.9 server with authentication integrated with > an Active Directory Server through PAM/LDAP to made the authentication of > our grid environment. Although the certificate is issued, this > authentication has been very slow with many time out before issuing the > certificate. For instance: > > > Feb 18 09:26:39 globus myproxy-server[18245]: Connection from 10.0.0.1 > Feb 18 09:26:39 globus myproxy-server[18245]: Authenticated client > <anonymous> > Feb 18 09:26:42 globus myproxy-server[18245]: Received GET request for > username fabio > Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed > out > Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed > out > Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result > Timed out > Feb 18 09:27:22 globus myproxy-server[18245]: PAM authentication > succeeded for fabio > Feb 18 09:27:22 globus myproxy-server[18245]: Got a cert request for user > "fabio", with pubkey hash "0x87696e4", and lifetime "43200" > Feb 18 09:27:22 globus myproxy-server[18245]: Issued certificate for user > "fabio", with DN "/O=Grid/OU=Globus/OU= > simpleCA-globus.mydomain.com/OU=local/GN=fabio/CN=FABIO MOREIRA DE > SOUZA", lifetime "43200", and serial number "0x22" > Feb 18 09:27:22 globus myproxy-server[18245]: Client <anonymous> > disconnected > > > The server is a CentOS 6.5 with PAM configured into the file > /etc/pam_ldap.conf as following: > > host ldapcluster.mydomain.com > ldap_version 3 > base dc=mydomain,dc=com > binddn CN=admin,OU=service account,OU=IT,DC=mydomain,DC=com > bindpw mypass > pam_filter objectclass=User > pam_login_attribute sAMAccountName > ssl no > > > and the openldap settings into the file /etc/openldap/ldap.conf: > > TLS_REQCERT allow > TLS_CHECKPEER no > > > The configurations from /etc/myproxy-server.config are: > > pam "sufficient" > sasl "sufficient" > certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem > certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem > certificate_issuer_key_passphrase "mypass" > certificate_serialfile /home/globus/.globus/simpleCA/serial > certificate_out_dir /home/globus/.globus/simpleCA/newcerts > certificate_mapfile /etc/grid-security/grid-mapfile > cert_dir /etc/grid-security/certificates > pam_id "myproxy" > certificate_mapapp /usr/local/sbin/myproxy-mapapp-ldap > > > and the file /etc/pam.d/myproxy: > > auth required pam_ldap.so > account required pam_ldap.so > > I'd like to ask some help because sometimes this delay reaches more than > 2 minutes. > > Best Regards, > > Fabio Souza > > -- Fábio MS
