Sunday, February 27, 2022

[SOLVED] Pam authentication, try first local user and then LDAP

Issue

I set up a pam authentication thowards Oracle Unified Directory on RH5 using the nslcd deamon.

I would like the authentication to first try for local users and then if no users found try to contact the LDAP. So I edited the /etc/nsswitch.conf in this way:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

But it seems this is not working since if the LDAP server is down, I'm not able to login to the server.

Am I missing something?

EDIT:

This is my PAM /etc/pam.d/system-auth (I'm not using sssd, only nslcd).

#%PAM-1.0
# This file is auto-generated.
auth      required      pam_env.so
auth      sufficient    pam_unix.so nullok
auth      sufficient    pam_ldap.so  use_first_pass ignore_authinfo_unavail
auth      required      pam_deny.so

account   required      pam_unix.so broken_shadow
account   required      pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
account   required      pam_permit.so

password  requisite     pam_cracklib.so try_first_pass retry=3
password  sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password  required     pam_ldap.so try_first_pass ignore_unknown_user ignore_authinfo_unavail
password  required     pam_deny.so

session   optional      pam_keyinit.so revoke
session   required      pam_limits.so
session   optional      pam_mkhomedir.so skel=/etc/skel umask=077
session   [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session   required      pam_unix.so
session   optional      pam_ldap.so   ignore_authinfo_unavail

I set the system-auth at debug and this is the result:

Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<dns_2>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_1>:3389: Can't contact LDAP server
Dec 20 17:46:38 <hostname> nscd: nss_ldap: failed to bind to LDAP server ldap://<ip_2>:3389: Can't contact LDAP server

Solution

I've found out the problem.

The resolution is to change this line in the /etc/pam.d/systhem-auth-ac:

account   required      pam_unix.so broken_shadow

into this:

account   sufficient      pam_unix.so broken_shadow

Be sure to change the same directive in the /etc/pam.d/password-auth-ac if you have that file too. Now the whitelisting through nss_initgroups_ignoreusers should work fine.

EDIT (some years later): the problem on this was that since the pam authentication works in cascade, there is no reason to go ahead in the account service if you already have a local account. So the first line (pam_unix.so) is enough for an authentication. Previously the stack kept check also the pam_ldap.so because all three lines were required to login, and if the ldap service is down or unreachable, the authentication stack breaks.



Answered By - LucaP
Answer Checked By - Robin (WPSolving Admin)