Problem logging in on LDAP enabled systems after 4.6 update

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
zlonew
Posts: 8
Joined: 2006/11/02 13:31:32
Location: Roma, Italy

Problem logging in on LDAP enabled systems after 4.6 update

Post by zlonew » 2008/04/21 09:46:17

Hello, about ten days ago I update my servers from CentOS 4.5 to CentOS 4.6, and I discovered a big issue on two of them.

The first system runs an LDAP server intended as a single signon repository for unix, web and samba users, the second one uses authentication service from the first one.

Both systems were configured quite similarly:
/etc/sysconfig/authconfig:
USECRACKLIB=yes
USEDB=no
USEHESIOD=no
USELDAP=yes
USENIS=no
USEPASSWDQC=no
USEWINBIND=no
USEKERBEROS=no
USELDAPAUTH=yes
USEMD5=yes
USESHADOW=yes
USESMBAUTH=no
USEWINBINDAUTH=no
USELOCAUTHORIZE=no

/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files

These configuration files were those authomatically created by the authconfig system procedure, with the following choices:
User Information
[ ] Cache Information
[ ] Use Hesiod
[*] Use LDAP
[ ] Use NIS
[ ] Use Winbind

Authentication
[*] Use MD5 Passwords
[*] Use Shadow Passwords
[*] Use LDAP Authentication
[ ] Use Kerberos
[ ] Use SMB Authentication
[ ] Use Winbind Authentication
[ ] Local authorization is sufficient

Before the update, all worked well. After the upgrade, the backup procedures I wrote stopped working.

I discovered that if the single signon LDAP server of the first system was down or unreachable, I could not login anymore to both of them, whichever the account I used - even root, that is of course present in both local user databases /etc/passwd.
This was the cause of the backup procedures problems, too.

I tried to rerun authconfig on the second system to activate local authorization:
[*] Local authorization is sufficient

but this ended in a disaster: if the single signon LDAP server was made unavaliable (let's say by disconnecting the network cable) the system quiclky became unusable: no local login and messages of INIT (1) spawning too fast, and many services failed to start on reboot... :-o

I made some researches, and found that the [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=9832&forum=41&post_id=31704#forumpost31704]suggestion posted by mamos[/url] on the CentOS 5 forum seems to work for my 4.6 ones - that is to say that the second server now allows logins for local users and reboots fine even if the network cable is disconnected - I.E., the single signon LDAP server is unreachable.

The final confirmation will be a successful backup, but even if the mamos patch works, I am not satisfied: it seems to me that libnss, pam or something else could have some configuration or code bug that prevents them to comply with what required by nsswitch.conf (local authentication first, and LDAP single signon if the local one is unsuccessful).

Can anybody tell me what is the cause of this wrong behaviour, and if there is a more "standard" solution to make the CentOS 4.6 LDAP authentication work like the old 4.5 one?

Thanks in advance

zlonew
Posts: 8
Joined: 2006/11/02 13:31:32
Location: Roma, Italy

Re: Problem logging in on LDAP enabled systems after 4.6 update

Post by zlonew » 2008/04/23 15:26:46

[quote]
zlonew wrote:

The final confirmation will be a successful backup[/quote]

Launched the backup last night, it does not worked.

I un-patched the /etc/nsswitch file, and modified the /etc/ldap.conf file bind_policy parameter:
bind_policy soft

This way I can login (after some seconds waiting) even if the LDAP server is unreachable; next backup job is scheduled at midnight, let's see what happens.

gama_blind
Posts: 2
Joined: 2008/08/08 18:42:17

Re: Problem logging in on LDAP enabled systems after 4.6 update

Post by gama_blind » 2008/08/08 18:56:53

Does anybody have a nsswitch.conf functionally without patch bind policy?


:-o

here is mine, I use Samba LDAP like PDC
[code]
passwd: files [!NOTFOUND=return] ldap
shadow: files [!NOTFOUND=return] ldap
group: files [!NOTFOUND=return] ldap

hosts: files dns
bootparams: nisplus files

services: files [!NOTFOUND=return] ldap
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files

publickey: nisplus
automount: files
aliases: files nisplus
[/code]


If we dont have the right way on this file,,,, we going to have some problems at boot like
[code]
nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
[/code]


Regards

Post Reply

Return to “CentOS 4 - Server Support”