ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.. Absent Member..
Absent Member..
829 views

PAM on OML 9.21 on RHEL 7.2

Hello,
I am in the process of enabling LDAP for my java GUI only on my new OML 9.21 (rhel 7.2). I have this same setup in my old OML (9.11 RHEL 5) yet I continue to get access denies.

Has anyone successfuly gotten the java UI to authenticate with ldap on OML 9.21 using PAM?

 


Commands run

ovconfchg -ovrg server -ns opc.itoUnbuffer -set OPC_USE_PAM_AUTH FALSE
ovconfchg -ovrg server -ns opc.itomessage -set OPC_USE_PAM_AUTH FALSE
ovconfchg -ovrg server -ns opc.opcuiwww -set OPC_USE_PAM_AUTH TRUE
ovconfchg -ovrg server -ns opc.opcuiwww.ldap -set OPC_USE_PAM_AUTH TRUE
ovconfchg -ovrg server -ns opc -set OPC_USE_PAM_AUTH TRUE
ovconfchg -ovrg server -ns opc -set OPCUIWWW_NO_LDAP FALSE


/var/opt/OV/log/opcuiwww.sh.log

0: INF: Mon Feb 06 15:58:53 2017: /opt/OV/bin/OpC/opcuiwww.sh called (pid=43191)
0: INF: Mon 06 Feb 2017 03:58:53 PM MST: /opt/OV/bin/OpC/opcuiwww.sh called (pid=43191)
Mon Feb 06 15:58:53 2017: OVO server processes up and running - starting opcuiwww
Using LANG=en_US.UTF-8
0: INF: Mon Feb 06 15:58:53 2017: Using /opt/OV/bin/OpC/opcuiwww.ldap
0: INF: Mon Feb 06 15:58:53 2017: opcuiwww exited with ret=0
0: INF: Mon Feb 06 15:58:56 2017: /opt/OV/bin/OpC/opcuiwww.sh called (pid=44889)
0: INF: Mon 06 Feb 2017 03:58:56 PM MST: /opt/OV/bin/OpC/opcuiwww.sh called (pid=44889)
Mon Feb 06 15:58:56 2017: OVO server processes up and running - starting opcuiwww
Using LANG=en_US.UTF-8


System.txt contains
0: INF: Mon Feb 6 15:57:39 2017: opcuiwww.ldap (23424/140065623627520): [pamauth.c:491]: Authentication failed for user 'username' using PAM service 'ovo'. (OpC140-504)

/etc/pam.d/ovo contains
%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_deny.so
account required pam_permit.so

 


/etc/pam_ldap.conf contains the following that works from my old OML server (which was /etc/ldap.conf in rhel 5)
Contents:
uri ldap://x.x.x/
base DC=FAKEDC,DC=sbc,DC=com
binddn CN=user,OU=Users,OU=correctOU,OU=Desktop,DC=FAKEDC,DC=sbc,DC=com
bindpw ########################
REFERRALS off
scope sub
pam_login_attribute sAMAccountName
pam_password ad
nss_map_attribute uid sAMAccountName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute uniqueMember memberOf
sasl_secprops maxssf=0
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
bind_timelimit 120
timelimit 120
idle_timelimit 3600
ssl no
TLS_CACERTDIR /etc/openldap/cacerts

Labels (1)
0 Likes
1 Reply
Ensign
Ensign

There's a hotfix to get this to work with 9.21. Check with support to get this.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.