Hi Jim, We decide to use the Global Catalog to search the user and validate its password. We've got this idea after reading the link below:
http://technet.microsoft.com/en-us/library/cc978012.aspx Now the authentication is taking less than 1 second. Best Regards. On Wed, Feb 19, 2014 at 7:56 AM, Fabio Moreira <[email protected]>wrote: > Hi Jim, > > Thanks for the tip. I made the test and I still facing slow > authentication. I intend to change the way I'm doing the authentication. > Since I just need to check the user and his password, I will try to use PAM > with Kerberos through pam_krb5. Later I'll send the results. > > > Best Regards. > > > On Tue, Feb 18, 2014 at 11:12 AM, Basney, Jim <[email protected]>wrote: > >> Hello Fabio, >> >> Please try the following command as root on your MyProxy CA server: >> >> pamtester myproxy fabio authenticate >> >> You may need to first do 'yum install pamtester'. >> >> This will determine if the problem is due to myproxy-server or >> pam_ldap. If you experience slow authentication and timeouts with >> pamtester, the problem is with the pam_ldap configuration or the Active >> Directory server. >> >> -Jim >> >> On 2/18/14, 6:54 AM, "Fabio Moreira" <[email protected]> wrote: >> >> Hi, >> >> I have built a MyPoxy CA v5.9 server with authentication integrated with >> an Active Directory Server through PAM/LDAP to made the authentication of >> our grid environment. Although the certificate is issued, this >> authentication has been very slow with many time out before issuing the >> certificate. For instance: >> >> >> Feb 18 09:26:39 globus myproxy-server[18245]: Connection from 10.0.0.1 >> Feb 18 09:26:39 globus myproxy-server[18245]: Authenticated client >> <anonymous> >> Feb 18 09:26:42 globus myproxy-server[18245]: Received GET request for >> username fabio >> Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed >> out >> Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result Timed >> out >> Feb 18 09:27:02 globus myproxy-server[18245]: pam_ldap: ldap_result >> Timed out >> Feb 18 09:27:22 globus myproxy-server[18245]: PAM authentication >> succeeded for fabio >> Feb 18 09:27:22 globus myproxy-server[18245]: Got a cert request for user >> "fabio", with pubkey hash "0x87696e4", and lifetime "43200" >> Feb 18 09:27:22 globus myproxy-server[18245]: Issued certificate for user >> "fabio", with DN "/O=Grid/OU=Globus/OU= >> simpleCA-globus.mydomain.com/OU=local/GN=fabio/CN=FABIO MOREIRA DE >> SOUZA", lifetime "43200", and serial number "0x22" >> Feb 18 09:27:22 globus myproxy-server[18245]: Client <anonymous> >> disconnected >> >> >> The server is a CentOS 6.5 with PAM configured into the file >> /etc/pam_ldap.conf as following: >> >> host ldapcluster.mydomain.com >> ldap_version 3 >> base dc=mydomain,dc=com >> binddn CN=admin,OU=service account,OU=IT,DC=mydomain,DC=com >> bindpw mypass >> pam_filter objectclass=User >> pam_login_attribute sAMAccountName >> ssl no >> >> >> and the openldap settings into the file /etc/openldap/ldap.conf: >> >> TLS_REQCERT allow >> TLS_CHECKPEER no >> >> >> The configurations from /etc/myproxy-server.config are: >> >> pam "sufficient" >> sasl "sufficient" >> certificate_issuer_cert /home/globus/.globus/simpleCA/cacert.pem >> certificate_issuer_key /home/globus/.globus/simpleCA/private/cakey.pem >> certificate_issuer_key_passphrase "mypass" >> certificate_serialfile /home/globus/.globus/simpleCA/serial >> certificate_out_dir /home/globus/.globus/simpleCA/newcerts >> certificate_mapfile /etc/grid-security/grid-mapfile >> cert_dir /etc/grid-security/certificates >> pam_id "myproxy" >> certificate_mapapp /usr/local/sbin/myproxy-mapapp-ldap >> >> >> and the file /etc/pam.d/myproxy: >> >> auth required pam_ldap.so >> account required pam_ldap.so >> >> I'd like to ask some help because sometimes this delay reaches more >> than 2 minutes. >> >> Best Regards, >> >> Fabio Souza >> >> > > > -- > Fábio MS > -- Fábio MS
