Troubleshooting
Problem
Local users are able to login to TDWC or to TWS engine via JSC or TDWC Engine. LDAP users are able to login to a terminal session, but LDAP users cannot login to TDWC nor can they connect to a TWS Engine.
Symptom
LDAP user login attempts fail even with /etc/pam.d/login copied to /etc/pam.d/checkpassword. The SystemOut.log for the embedded WebSphere Application Server (eWAS) contains the following error message:
LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is Pam Authentication failed for user: <ldapuser>
Environment
Linux OS
The recommended settings are in place in /etc/pam.d files.
Resolving The Problem
Instructions documented in this technote say to confirm that /etc/pam.d/other has the following entries:
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
The TWS WebSphere application server will use the PAM Service-Name "checkpassword" if present, otherwise the Service-Name "other" will be used.
If the settings in the /etc/pam.d/checkpassword file conform to the instructions to include auth, account, password, and session from system-auth and TWS or Tivoli Dymanic Workload Console (TDWC) logins fail, then there may be an issue with system-auth. If system-auth is using pam_deny.so, then this may be the cause for the login failures.
NOTE: If LDAP user logins to a terminal shell are functional then it is likely that the system-auth should not be modified.
It is possible to copy the /etc/pam.d/system-auth to /etc/pam.d/checkpassword and make the desired custom settings directly in the checkpassword file. In this case the settings from system-auth will not be inherited by checkpassword and the pam_deny.so entries can be removed without impacting the functional PAM services that use system-auth
This is a sample /etc/pam.d/checkpassword that was copied from /etc/pam.d/system-auth with pam_deny.so lines disabled:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=6 unlock_time=1800 onerr=fail
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
#auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
#password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
The above file resulted in successful logins as an LDAP user to a TDWC server configured to use the Custom user registry.
Related Information
Product Synonym
Maestro;TWS;TWA;eWAS
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21451201