[SLE] SUSE10, LDAP and disconnected login.

Hi,

I'm using SUSE 10.0 OSS as client workstations with a central LDAP
server for authentication. LDAP authentication for the SUSE 10
workstations is configured through YaST -> Network Services -> LDAP
Client. Where I select "use LDAP", enter the LDAP server address and
enter the LDAP base DN. Following this I also add

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

to the bottom of PAM configuration files login, xdm and sshd found in
/etc/pam.d. Then users who have valid LDAP credentials and the local
root superuser are able to login to the SUSE 10 workstation. This works
fine - no problems so far.

Trouble starts when I disconnect the network. The local root superuser
cannot login. The authentication is successful but the login session
times out after 60 seconds. I'm having trouble understanding why this
is happening because I'm having trouble understanding the SUSE design
for the login process. Specifically:

1. Why use pam_unix2.so? What are the advantages? It took me some time
to trace the config file (/etc/security/pam_unix2.conf) for this module,
when logically I expected to find all the necessary files for
configuring pam behavior under /etc/pam.d.

2. Why use the +:::::: notation in /etc/passwd for directing the system
to search for other authentication sources. What is the advantage to
this over using a "files ldap" entry in /etc/nsswitch.conf?

The login session timeout for root when the network is disconnected is
very similar to the problems I'm facing when configuring pam_ccreds for
disconnected login of LDAP users who have previously logged in
successfully. So I'm hoping that someone here could help me to
understand why the local root superuser cannot login when the network is
disconnected on a SUSE10 workstation that has been configured through
YaST (at install time) to use LDAP as an authentication source.


Thanks,


Warren.

--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Relevant Pages

  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
  • Re: Directory Services, LDAP or similar
    ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
    (borland.public.delphi.non-technical)
  • No more logins after upgrade to deb 5.0
    ... After upgrading from Debian 4.x to 5.x without any further configuration attempts my LDAP Authentication configuration fails. ... If an LDAP Administrator resets that users password and/or as long their ldap password is not expired the user can login anywhere just fine. ...
    (Debian-User)
  • Re: [SLE] Ldap authentication
    ... We currently are using a samba PDC -with ldap back-end, ... So far using Suse 10 or RHEL4 I have not ... The html page when clicking on the link points you to a file that references ldap. ... System does not create a home directory for them if it's there first time to login. ...
    (SuSE)
  • Re: Cannot Login using GUI
    ... Run the authconfig command from single user mode and disable ldap ... If you need help on setting up ldap authentication, ... I cannot login to either my user account ...
    (RedHat)