Wrong password ?

Implementing the Oracle Authentication for Operating System (OAfOS) for a certain Oracle Enterprise Linux (OEL) server we got a Access Denied error when we tried to login the server using the credentials from the Oracle Internet Directory (OID) ldap server. When we looked in the /var/log/secure messages file we saw the error
sshd[22791]: Failed password for invalid user xander

This even though the same account xander worked fine for other OEL servers.
When we used the su xander from the root account on the OEL server we were able to create the directory:

$ su xander

Creating directory '/home/xander'.

Creating directory '/home/xander/.kde'.

Creating directory '/home/xander/.kde/Autostart'.

It turned out that this specific machine had an extra access policy in the /etc/security/access.conf file. This policy only let users access the machine through SSH when they were member of a group.
When we added the same group to the OID and added the username to the group, the password error was gone and we were able login using SSH

High Available setup of Oracle Authentication Services for Operating Systems

Oracle Authentication Services for Operating Systems (OASfOS) is the way to use the Oracle Internet Directory (OID) LDAP server for user management of the users on a Unix or Linux system.
This works fine and is explained in the manuals that come with the download from Oracle Technology Network: http://www.oracle.com/technology/products/oid/oracleauthenticationservices.html

But the scripts that come with this OASfOS download assume that a single instance OID ldap server is used. The script that should be run on the OID server get the host name of that server and creates the script that should be run on the Linux or Unix servers that will be using the OID as there user base.
But the strength of the OID is that it can be setup with a cluster database in the back-end. Using a hardware load balancer in from of the OID processes can mitigate against all kinds of hardware and software failures. The hardware load balancer will be setup with a Virtual DNS name which will direct the ldap requests to either of the OID processes in the cluster. The back-end of the OID processes a Real Application Cluster (RAC) database is used.

The procedure for setting up OASfOS in a cluster is slightly different from setting it up for a single instance.
The server script is that run on the first instance should be adjusted. Instead of getting the hostname of the machine on which this OID is running, it should use the LDAP Virtual Address that is used in the load balancer.
That adjusted script will create a client script that will the use the virtual address of the load balancer instead of one of the host addresses.
In the following text the bit that is changed in the server script is shown in red:

if [ "X$dmName" = "X(none)" -o "X$dmName" = "X" ]
then
dmName=""
# rootDN="cn=`hostname`,${realm}"
# hostName="`hostname`"
rootDN="cn=oid-virtualaddress.nl.oracle.com,${realm}"
hostName="oid-virtualaddress.nl.oracle.com"
else
# rootDN="cn=`hostname`.${dmName},${realm}"
# hostName="`hostname`.${dmName}"
rootDN="cn=oid-virtualaddress.nl.oracle.com,${realm}"
hostName="oid-virtualaddress.nl.oracle.com"
fi

On the other instance the only change that is made is that the Wallet for SSL traffic that is created on the first instance is copied to the same place on the second instance. The same instructions as described in the documentation for changing the standard certificate can be used.
The server script should not be run on the second instance, since it also changes the contents of the OID, but since RAC is used that is already changed when the script is run on the first instance.

Start blogging

Start blogging my manager said, 2 years ago. That is good for your "career". But I didn't think I had anything to add that couldn't be found anywhere else.
But then lately I had to find out some stuff that wasn't written in any of the manuals. Mind you, no rocket science or brain surgery, but it would be convenient if I could have done the work using a sample.
So I can start working on my "career" from today.
On this blog you should expect stuff which isn't already written in the manual (at the time of writing is my techie addition).
It could be somebody else is writing it down in another blog at the same moment though, this is my next nerdy addition to my own rule. But the web doesn't have any tools yet to prevent this redundancy, possibly in a semantic web all is normalized.