IBM Support

LDAP user login to TDWC or TWS engine fails on Linux using Custom registry

Troubleshooting


Problem

Local users are able to login to TDWC or to TWS engine via JSC or TDWC Engine. LDAP users are able to login to a terminal session, but LDAP users cannot login to TDWC nor can they connect to a TWS Engine.

Symptom

LDAP user login attempts fail even with /etc/pam.d/login copied to /etc/pam.d/checkpassword. The SystemOut.log for the embedded WebSphere Application Server (eWAS) contains the following error message:


LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is Pam Authentication failed for user: <ldapuser>

Environment

Linux OS

The recommended settings are in place in /etc/pam.d files.

Resolving The Problem

Instructions documented in this technote say to confirm that /etc/pam.d/other has the following entries:

auth include system-auth
account include system-auth
password include system-auth
session include system-auth


The TWS WebSphere application server will use the PAM Service-Name "checkpassword" if present, otherwise the Service-Name "other" will be used.

If the settings in the /etc/pam.d/checkpassword file conform to the instructions to include auth, account, password, and session from system-auth and TWS or Tivoli Dymanic Workload Console (TDWC) logins fail, then there may be an issue with system-auth. If system-auth is using pam_deny.so, then this may be the cause for the login failures.

NOTE: If LDAP user logins to a terminal shell are functional then it is likely that the system-auth should not be modified.

It is possible to copy the /etc/pam.d/system-auth to /etc/pam.d/checkpassword and make the desired custom settings directly in the checkpassword file. In this case the settings from system-auth will not be inherited by checkpassword and the pam_deny.so entries can be removed without impacting the functional PAM services that use system-auth

This is a sample /etc/pam.d/checkpassword that was copied from /etc/pam.d/system-auth with pam_deny.so lines disabled:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=6 unlock_time=1800 onerr=fail
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
#auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
#password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022

The above file resulted in successful logins as an LDAP user to a TDWC server configured to use the Custom user registry.

[{"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"WebSphere Application Server","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.6;9.1;9.2;9.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

Maestro;TWS;TWA;eWAS

Document Information

Modified date:
17 June 2018

UID

swg21451201