IBM Support

ObjectServer PAM authentication via LDAP fails

Troubleshooting


Problem

When user attempts to login to the ObjectServer, the ObjectServer log shows failure to authenticate the user.

Symptom

An example of the error is as follows:

2015-04-01T04:39:15: Error: E-AUT-102-005: User authentication of user 'user1', has failed. [9][Authentication failed]
2015-04-01T04:39:15: Error: E-OBX-102-023: Failed to authenticate user user1. (-3602:Not authenticated)
2015-04-01T04:39:15: Error: E-OBX-102-057: User user1@host1 failed to login: Not authenticated

Diagnosing The Problem

On Linux, each PAM policy is held in a separate configuration file that bears the service name of the associated application in the pam.d directory, modify the "netcool" and/or "nco_objserv" configuration files. Add, "debug" to the end of " auth" and "account" lines used by the object server for authentication and accounting.

E.g.
nco_objserv auth required pam_krb5.so.1 try_first_pass debug
nco_objserv account required pam_krb5.so.1 debug

2) Verify that syslogd is configured to log debug statements. In /etc/syslog.conf, there should be a line for debug followed by a file name. If syslog is not configured to log debug messages, consult your system administrator on configuring syslogd.

For example:
*.debug /var/adm/ncolog

3) Create an empty file named "pam_debug" in the /etc directory.

Eg. "Touch" /etc/pam_debug


4) Use nco_config to set the ObjectServers messagelevel property to debug .

Note: The PAM library checks for the existence of the "/etc/pam_debug" file,
syslog output is enabled when this file is found. The netcool application name
for the object server is "nco_objserv". The netcool application name for the
nco_pad is "netcool".

Then, attempt to login to the ObjectServer.

When examining the PAM debug messages in the syslogd log file, the following example error is seen:


Apr 9 00:11:21 server1 nco_objserv[16099]: [ID 647000 auth.debug] ldap pam_sm_authenticate(nco_objserv d402190), AUTHTOK not set

Resolving The Problem

The message "AUTHTOK not set" normally suggests a missing module when parsing through the PAM configuration file. Try adding the following module as a requisite to nco_objserv:
nco_objserv auth requisite /usr/lib/security/pam_authtok_get.so.1

Attempt to login again.

If the PAM debug messages shows the following:


Apr 9 14:45:05 server1 nco_objserv[16099]: [ID 293258 user.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').

.... this means that LDAP client is not installed on the machine. LDAP client is needed for PAM authentication to work.

[{"Product":{"code":"SSSHTQ","label":"Tivoli Netcool\/OMNIbus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF027","label":"Solaris"}],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

OMNIbus

Document Information

Modified date:
17 June 2018

UID

swg21902220