Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159610 - default pam setting for pam_ldap by authconfig disallows local user login if the ldap server is down
Summary: default pam setting for pam_ldap by authconfig disallows local user login if ...
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: authconfig
Version: 3.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-06-05 23:40 UTC by Umasankar
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-06-06 07:17:19 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Umasankar 2005-06-05 23:40:13 UTC
Description of problem:

When you use authconfig to configure a RHEL (3) system to use pam_ldap for 
authentication, the default control flag for pam_ldap in the account section 
of PAM in the system-auth (/etc/pam.d/system-auth) looks as below:

account     required     /lib/security/$ISA/
account     [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] /lib/security/$ISA/

With the LDAP server going down, if a local system user, say, root tries to 
login, the login fails due to the following reasons.

1. The root user is authenticated against the system's local auth info stored 
in /etc/passwd.
2. The root user account is authorized by the module in the 
account section of PAM.
3. The authorization by succeeds. As the control flag for this 
accounting module is 'required', PAM queries the next module that is, 
4. As the LDAP server is down, the authorization by the ldap server fails.
5. The control flag for pam_ldap has 'default=bad' set. So, the overall result 
of the authorization module is failure.
6. Therefore, the local user root cannot login to the system even though the 
local user info is not stored in LDAP.

The simple work around for this problem is to set default=ignore and add 
perm_denied=bad to the control flag of the pam_ldap module in the account 
section in the PAM config file.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use authconfig to configure authentication against a LDAP server.
2. Bring down the LDAP server
3. Login as root through ssh to the system.
Actual results:
root user couldn't login even though the root account info is stored 
in /etc/passwd and /etc/shadow and not in LDAP.

Expected results:

Local users (non-LDAP users) on the system should be able to login 
irrespective of the LDAP server going down. 
Additional info:
The user often gets confused about why the login fails as there is no explicit 
information in the log files.

Comment 1 Tomas Mraz 2005-06-06 07:17:19 UTC
This cannot be changed as you propose for security reasons. However the updated
authconfig in RHEL3 U5 allows you to add the pam_localuser module before
pam_ldap which will have almost the same effect.

Use 'authconfig --enablelocauthorize --kickstart' to add it.

Note You need to log in before you can comment on or make changes to this bug.