[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
FW: su issues
- To: <openldap-software@OpenLDAP.org>
- Subject: FW: su issues
- From: "Paul O'Malley" <paul.omalley@bluefly.com>
- Date: Wed, 14 Jan 2004 15:10:06 -0500
- Content-class: urn:content-classes:message
- Thread-index: AcPa16B0IpGeDowDQImSPa97h3p80wAAHYzgAAAU43AAACDysAAASoZA
- Thread-topic: su issues
Title: Message
When I try to su from a non-root account to
another non-root account under Solaris 8, I do not see any hits against my
openLDAP server. If I su from root to another account, I see LDAP server access
and it works correctly.
Here is my pam.conf file (the slashes do
not appear in the actual file) :
/
login auth
sufficient pam_ldap.so.1
try_first_pass
/
login auth
requisite
pam_authtok_get.so.1
/
login auth
required
pam_dhkeys.so.1
/
login auth
required
pam_unix_auth.so.1
/ login
auth required
pam_dial_auth.so.1
/
su auth
sufficient pam_ldap.so.1
debug
/
su auth
required
pam_unix_auth.so.1 try_first_pass
#
/
other auth
requisite
pam_authtok_get.so.1
/
other auth
required
pam_dhkeys.so.1
/
other auth
required
pam_unix_auth.so.1
#
#
# Account management
#
/
login account
requisite
pam_roles.so.1
/
login account
required
pam_projects.so.1
/ login
account
sufficient
pam_ldap.so.1 try_first_pass
/
login account
required
pam_unix_account.so.1
#
/
other account
requisite
pam_roles.so.1
/
other account
required
pam_projects.so.1
/
other account
required
pam_unix_account.so.1
#
/
su account
sufficient
pam_ldap.so.1 debug
/
su account
required
pam_unix_auth.so.1 try_first_pass
#
# Session management
#
/
other session
required
pam_unix_session.so.1
/
su session
sufficient
pam_ldap.so.1 debug
/
su session
required
pam_unix_auth.so.1 try_first_pass
#
# Password management
#
/
other password
required
pam_dhkeys.so.1
/
other password
requisite
pam_authtok_get.so.1
/ other
password
requisite
pam_authtok_check.so.1
/ other password
required
pam_authtok_store.so.1
#
#
/
passwd auth
required
pam_passwd_auth.so.1
/
cron account
required
pam_unix_account.so.1
And here is what I get when I try to su as
non-root:
bash-2.03$ who am i
pomalley
pts/2 Jan 14 14:37
(javadocs.ny.bluefly.com)
bash-2.03$ su - bmadmin
su: Unknown id:
bmadmin
bash-2.03$
And no "queries" against LDAP server. My messages
file says:
Jan 14 13:13:20 deviant su: [ID 810491 auth.crit] 'su bmadmin'
failed for pomalley on /dev/pts/2 Jan 14 14:07:19 deviant sshd[14674]: [ID
280705 auth.error] pam_ldap: ldap_simple_bind Can't contact LDAP server Jan 14
14:07:33 deviant last message repeated 1 time Jan 14 14:08:00 deviant
sshd[14682]: [ID 280705 auth.error] pam_ldap: ldap_simple_bind Can't contact
LDAP server Jan 14 14:08:04 deviant last message repeated 1 time Jan 14 14:08:40
deviant sshd[14689]: [ID 280705 auth.error] pam_ldap: ldap_simple_bind Can't
contact LDAP server Jan 14 14:08:44 deviant last message repeated 1
time
As root, it is OK:
[root@devapp /]# ssh
deviant
Password:
Last login: Wed Jan 14 14:37:09 2004 from
javadocs.ny.blu
Sun Microsystems Inc. SunOS
5.8 Generic February 2000
[root@deviant
/]$ su - pomalley
bash-2.03$
conn=126 fd=13 ACCEPT from
IP=192.168.20.81:44180 (IP=0.0.0.0:636) conn=126 op=0 BIND
dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128 conn=126 op=0 BIND
dn="cn=Manager,dc=ny,dc=bluefly,dc=com" mech=simple ssf=0 conn=126 op=0 RESULT
tag=97 err=0 text= conn=126 op=1 SRCH base="ou=People,dc=ny,dc=bluefly,dc=com"
scope=2 filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=126
op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell
gecos description objectClass conn=126 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text= conn=126 op=2 SRCH base="ou=People,dc=ny,dc=bluefly,dc=com"
scope=2 filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=126
op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell
gecos description objectClass conn=126 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text= conn=126 op=3 SRCH base="dc=ny,dc=bluefly,dc=com" scope=2
filter="(uid=pomalley)" conn=126 op=3 SEARCH RESULT tag=101 err=0 nentries=1
text= conn=126 op=4 SRCH base="ou=Group,dc=ny,dc=bluefly,dc=com" scope=2
filter="(&(objectClass=posixGroup)(|(memberUid=pomalley)(uniqueMember=uid=pomalley,ou=people,dc=ny,dc=bluefly,dc=com)))"
conn=126
op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber <=
bdb_equality_candidates: (uniqueMember) index_param failed (18) conn=126 op=4
SEARCH RESULT tag=101 err=0 nentries=2 text= conn=126 fd=13 closed
Can
someone point me in the right direction? It seems that su is not properly
interfacing to the PADL modules as a non-root user but I have no idea where to
start. I got no solution through Google...
Also, for each client, do I
need to compile the entire OpenLDAP installation or is there a "libraries only"
option?
Thanks!
paul o'malley, senior unix systems administrator
[fly since 2003] [p] 212.944.8000 x306 [e]
paul.omalley@bluefly.com