[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Redhat 9 'su' doesn't work with OpenLDAP?



Hi,
try manually patching the system-auth, which is buggy in RH9:

Configure /etc/pam.d/system-auth with this line:

account required /lib/security/$ISA/pam_unix.so
# patch from bug #55193 at bugzilla.redhat.com
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/security/$ISA/pam_ldap.so


Also, does:
$ getent passwd
returns the root account?

HTH
Oliver

Brian K. Jones wrote:

Hi all.

There are more people using RH 9 w/ Openldap here than on the
'Redhat-Shrike' list, so I'm starting here with this issue.


I'm migrating from NIS to LDAP. I'm the first guinea pig. We have a NIS
box setup still, and after running 'authconfig' on my RH 9 box and
telling it to use LDAP and not NIS, logins and ssh work, but 'su'
doesn't! I'm typing the correct password, and it appears that there are
searches being done, according to the server logs, but all I get is 'su:
incorrect password'. If I configure the machine to go back to using NIS,
all is well again, and I can 'su' on the first try :(

'su' appears to be actually binding to the ldap server as the user
you're trying to become, and here's the log output:

Aug 1 16:32:49 ldap slapd[29609]: conn=229 fd=11 ACCEPT from
IP=128.112.94.52:50117 (IP=0.0.0.0:389)
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=1 BIND dn="" method=128
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=1 RESULT tag=97 err=0
text=
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=2 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=3 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=4 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=5 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=5 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug 1 16:32:49 ldap slapd[29609]: conn=229 op=5 RESULT tag=101 err=32
text=
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=6 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=6 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=6 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=7 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=7 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=7 RESULT tag=101 err=32
text=
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=8 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=8 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=8 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=9 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=9 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug 1 16:32:53 ldap slapd[29609]: conn=229 op=9 RESULT tag=101 err=32
text=
Aug 1 16:32:53 ldap slapd[29609]: conn=230 op=5 UNBIND
Aug 1 16:32:53 ldap slapd[29609]: conn=229 fd=11 closed
==============================
And here's my /etc/pam.d/system-auth file.
==============================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so



Thanks for any insight.




-- Oliver Schulze L. <oliver@samera.com.py>