[CentOS] cron breaking when enabling ldap

Gerrard Geldenhuis Gerrard.Geldenhuis at betfair.com
Tue Sep 14 11:27:45 EDT 2010

When I enable a box to do authentication using LDAP it breaks cron for users like jboss. 

I get the following in /var/log/secure
Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access denied for user `jboss' from `cron'

I have the following in /etc/ldap.conf
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,jboss

auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so type= retry=3 difok=3 minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so debug service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

I have added 
+ : jboss : cron

to /etc/security/access.conf which fixes the problem. However I am not sure that it is the "correct" fix. 

I would have thought that the string in /etc/ldap.conf 
nss_initgroups_ignoreusers would prevent this error unless I am confused about the pam ordering and sequence of how authentication happens. 

The cron job executes fine without LDAP enabled.

Can anyone shed any more light on this error and a possible fix? I am using CentOS 5.5 fully updated.

Best Regards

In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.


More information about the CentOS mailing list