connect cez SSH pri vypadnutom LDAP
Jan ' Kozo ' Vajda
Jan.Vajda na somi.sk
Pátek Listopad 28 13:22:06 CET 2008
> Jeste musite nastavit PAM tak, ze staci pouze local user
> (v souboru /etc/pam.d/system-auth, je to ten druhy radek)
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
no toto nepomohlo ..
pri vypnutom (teda vopbec nebezi) LDAP sa mi stale snazi pri pokuse o
pripojenie cez SSH spravit "ktosi" connect na LDAP
Nov 28 14:22:30 server sshd: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1: Can't contact LDAP server
Nov 28 14:22:30 server sshd: nss_ldap: reconnecting to LDAP server
(sleeping 32 seconds)...
aktualny obsah pam.d/sshd je takyto:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
>> - to nikomu nevadi ten par minutovy start LDAP v RHEL based distro ?
>
> Jo vadilo mi to celkem dlouho, nez jsem prisel na to, jak to odstranit.
> Nepamatuji si to presne, ale pomohlo neco z techto radku
> v /etc/ldap.conf (tusim, ze to bude hlavne ten posledni)
>
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> nss_initgroups_ignoreusers root,ldap
toto este idem vyskusat ....
--
Ing. Jan Vajda
SOMI systems a.s.
CSA 25
974 01 Banska Bystrica
phone: +421 48 4146 759
fax: +421 48 4146 760
e-mail: Jan.Vajda na somi.sk
URL: http://www.somi.sk/
Další informace o konferenci Linux