connect cez SSH pri vypadnutom LDAP

Jan ' Kozo ' Vajda Jan.Vajda na somi.sk
Pátek Listopad 28 13:22:06 CET 2008 

> Jeste musite nastavit PAM tak, ze staci pouze local user
> (v souboru /etc/pam.d/system-auth, je to ten druhy radek)
> 
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_localuser.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
> account     required      /lib/security/$ISA/pam_permit.so

no toto nepomohlo ..

pri vypnutom (teda vopbec nebezi) LDAP sa mi stale snazi pri pokuse o 
pripojenie cez SSH spravit "ktosi" connect na LDAP

Nov 28 14:22:30 server sshd: nss_ldap: failed to bind to LDAP server 
ldap://127.0.0.1: Can't contact LDAP server
Nov 28 14:22:30 server sshd: nss_ldap: reconnecting to LDAP server 
(sleeping 32 seconds)...

aktualny obsah pam.d/sshd je takyto:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_ldap.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

>> - to nikomu nevadi ten par minutovy start LDAP v RHEL based distro ?
> 
> Jo vadilo mi to celkem dlouho, nez jsem prisel na to, jak to odstranit.
> Nepamatuji si to presne, ale pomohlo neco z techto radku
> v /etc/ldap.conf (tusim, ze to bude hlavne ten posledni)
> 
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> nss_initgroups_ignoreusers root,ldap

toto este idem vyskusat ....

-- 
Ing. Jan Vajda
SOMI systems a.s.
CSA 25
974 01 Banska Bystrica
phone: +421 48 4146 759
fax: +421 48 4146 760
e-mail:  Jan.Vajda na somi.sk
URL: http://www.somi.sk/

Další informace o konferenci Linux