Centos – Error on LDAP Login – xsessions error – Session lasted less than 10 seconds

centosldapopenldap

I have two machines both running CentOS 5.6 64bit.
On the LDAP Machine it has a DHCP, BIND and OpenLDAP Server. LDAP is correctly configured and users can authenticate against it.

Using root I configure machine 2 to use LDAP for authentication and when trying to log in it successfully authenticates against a saved user on the LDAP Server but produces the following errors and then throws me back to the login screen. I can still sign in as root and use the machine as normal. The syslog doesn't show any errors and I disabled SELinux to see if it was interfering.

The error;

Your session only lasted less than 10 seconds. If you have not lgoged out yourself, this could mean that there is some installation problem or that you may be out of diskspace. Try logging in with one of the failsafe sessions to see if you can fix this problem.

There is then a tickbox to view the contents of ~/.xsessions-errors which contains;

/etc/gdm/PreSession/Default: Registering your session with utmp
/etc/gdm/PreSession/Default: running: /usr/bin/sessreg -a -u /var/run/utmp -x "/var/gdm:0:Xservers" -h "" -l ":0" "admin"
        localuser:admin being added to access control list
    No profile for user 'admin' found
    /bin/sh: /usr/bin/dbus-launch --exit-with-session /etc/X11/Xinit/Xclients: No such file or directory
    /bin/sh: line 0: exec: /usr/bin/dbus-launch --exit-with-session /etc/X11/xinit/Xclients: cannot execute: No such file or directory

Apologies if someone notices something isn't spelt quite right or doesn't sound right, the system never actually creates or saves this file so I have had to type it across from the screen.

Through the authentication panel in CentOS on the client I have set it to create the users home directory on login. The user is being correctly authenticated and the /home/admin folder has been created but this error would suggest it has not? The client is a new install on an 80gb hard drive so there is well over 80% of the drive still available.

Thanks for any suggestions or pointers.

Best Answer

Ok. So the error was not defining /bin/bash as the loginShell attribute for the user on the LDAP server. Because of the permissions on the system and bash being used the default shell on the system it was having errors to try and create the default files required for the x11 system. Adding the /bin/bash loginShell atribute to all users fixed everything

Related Solutions

Ubuntu LDAP Make Home Directory

The way we solved this is to add another attribute to LDAP, something like linuxHomeDirectory . Then you can create a mapping in ldap.conf:

nss_map_attribute homeDirectory linuxHomeDirectory

The for each user you set the attribute in LDAP to the path you want for their Linux home dir, such as /home/$username or whatnot.

If you have your home directories served from OS X server, you can mount those with an automounter in the /Volumes/$servername/$path hierarchy on Linux and then you don't need to do any LDAP attribute mangling.

More info: Here's an article how to extend the LDAP schema in OpenDirectory: http://www.afp548.com/article.php?story=20060228230005854

To populate the user attributes you can use the ldapadd and ldapmodify tools.

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Here's how LDAP authentication works, in a nutshell:

You SSH in as joeblow. Your client gives that name to the server, along with your password (that you enter).
The server starts walking the PAM list saying "does anyone vouch for this guy?", looking for either an OK or a NO. (PAM modules can deny as well as allow). In your case:
1. It checks pam_opie.so. You've said this is sufficient, so it will just move on if it isn't found. I imagine it's not in this case.
2. It checks pam_opieaccess.so. In this case, it's required, so pam_opieaccess.so has to say "yeah, he's ok". I imagine this module is just checking a list of accounts that are marked "has to auth via OPIE", which joeblow isn't on. It says OK.
3. /usr/local/lib/pam_ldap.so gets a turn. This is the part you care about.
  1. First it binds to the server with your binddn and bindpw, to ask "hey, I've got this joeblow here, what's his real name?" The server answers uid=joeblow,ou=Users,dc=corp,dc=example,dc=org.
  2. pam_ldap.so disconnects, and tries to bind as uid=joeblow,ou=Users,dc=corp,dc=example,dc=org with the password you gave. If it can bind, you're in. If not, not.

So the error you're getting means that step 2.3.2 there is failing, probably because the password is incorrect. It's possible that there is some other problem with joeblow binding to the server, check the LDAP server logs for more details.

Best Answer

Related Solutions

Ubuntu LDAP Make Home Directory

Ldap – FreeBSD LDAP authentication, pam_ldap, can’t bind

Related Topic