[389-users] FYI and OT: PAM Weirdness

[Gerrard Geldenhuis]

Hi
I have seen an interesting problem which I thought would be useful for anyone on the list to know. I ran into it ones to many so sharing my solutions to spare others the suffering. :D

If you have certificates in /etc/pki/tls/certs on a CentOS 5.5 box and one of the certificates has root:root 600 permissions it will break LDAP login if you use certificates.

What happens is that as the client libs try to find the correct certificate it cycles through all of the certificates (as shown by strace) finds the correct certificates but also find an unreadable certificate and then refuses to connect to the LDAP server for some tasks.  You can login but you will see something like the following:

Last login: Wed Feb  9 09:56:32 2011 from 10.5.11.44
id: cannot find name for user ID xxxx
id: cannot find name for group ID xxxx
id: cannot find name for user ID xxxx
[I have no name!@testbox ~]$

You will also see the following in /var/log/messages
Feb  9 09:53:01 testserver nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb  9 09:53:02 testserver nscd: nss_ldap: could not search LDAP server - Server is unavailable


Arguably the file permissions should never be 600, but also arguable the PAM and or other libs should not be so sensitive to fail on only one file being wrong.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________