[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: su issues

Title: Message
When I try to su from a non-root account to another non-root account under Solaris 8, I do not see any hits against my openLDAP server. If I su from root to another account, I see LDAP server access and it works correctly.

Here is my pam.conf file  (the slashes do not appear in the actual file) :

 /         login   auth sufficient         pam_ldap.so.1 try_first_pass 
         login   auth requisite          pam_authtok_get.so.1
 /         login   auth required           pam_dhkeys.so.1
   /       login   auth required           pam_unix_auth.so.1
     /     login   auth required           pam_dial_auth.so.1
 /         su      auth sufficient         pam_ldap.so.1 debug
   /       su      auth required           pam_unix_auth.so.1 try_first_pass
#
 /         other   auth requisite          pam_authtok_get.so.1
   /       other   auth required           pam_dhkeys.so.1
  /        other   auth required           pam_unix_auth.so.1
#
#
# Account management
#
 /         login   account requisite               pam_roles.so.1
   /       login   account required                pam_projects.so.1
     /     login   account sufficient              pam_ldap.so.1 try_first_pass
    /      login   account required                pam_unix_account.so.1
#
 /         other   account requisite               pam_roles.so.1
  /        other   account required                pam_projects.so.1
   /       other   account required                pam_unix_account.so.1
#
   /       su      account sufficient              pam_ldap.so.1 debug
  /        su      account required                pam_unix_auth.so.1 try_first_pass
#
# Session management
#
 /         other   session required                pam_unix_session.so.1
  /        su      session sufficient              pam_ldap.so.1 debug
   /       su      session required                pam_unix_auth.so.1 try_first_pass
#
# Password management
#
 /         other   password required               pam_dhkeys.so.1
   /       other   password requisite              pam_authtok_get.so.1
     /     other   password requisite              pam_authtok_check.so.1
       /   other   password required               pam_authtok_store.so.1
#
#
  /        passwd  auth required           pam_passwd_auth.so.1
  /        cron    account required                pam_unix_account.so.1

And here is what I get when I try to su as non-root:

bash-2.03$ who am i
pomalley   pts/2        Jan 14 14:37    (javadocs.ny.bluefly.com)
bash-2.03$ su - bmadmin
su: Unknown id: bmadmin
bash-2.03$

And no "queries" against LDAP server. My messages file says:

Jan 14 13:13:20 deviant su: [ID 810491 auth.crit] 'su bmadmin' failed for pomalley on /dev/pts/2 Jan 14 14:07:19 deviant sshd[14674]: [ID 280705 auth.error] pam_ldap: ldap_simple_bind Can't contact LDAP server Jan 14 14:07:33 deviant last message repeated 1 time Jan 14 14:08:00 deviant sshd[14682]: [ID 280705 auth.error] pam_ldap: ldap_simple_bind Can't contact LDAP server Jan 14 14:08:04 deviant last message repeated 1 time Jan 14 14:08:40 deviant sshd[14689]: [ID 280705 auth.error] pam_ldap: ldap_simple_bind Can't contact LDAP server Jan 14 14:08:44 deviant last message repeated 1 time

As root, it is OK:

[root@devapp /]# ssh deviant
Password:
Last login: Wed Jan 14 14:37:09 2004 from javadocs.ny.blu
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
[root@deviant /]$ su - pomalley
bash-2.03$


conn=126 fd=13 ACCEPT from IP=192.168.20.81:44180 (IP=0.0.0.0:636) conn=126 op=0 BIND dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128 conn=126 op=0 BIND dn="cn=Manager,dc=ny,dc=bluefly,dc=com" mech=simple ssf=0 conn=126 op=0 RESULT tag=97 err=0 text= conn=126 op=1 SRCH base="ou=People,dc=ny,dc=bluefly,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=126 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass conn=126 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=126 op=2 SRCH base="ou=People,dc=ny,dc=bluefly,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=126 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass conn=126 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=126 op=3 SRCH base="dc=ny,dc=bluefly,dc=com" scope=2 filter="(uid=pomalley)" conn=126 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=126 op=4 SRCH base="ou=Group,dc=ny,dc=bluefly,dc=com" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=pomalley)(uniqueMember=uid=pomalley,ou=people,dc=ny,dc=bluefly,dc=com)))"
conn=126 op=4 SRCH attr=cn userPassword memberUid uniqueMember gidNumber <= bdb_equality_candidates: (uniqueMember) index_param failed (18) conn=126 op=4 SEARCH RESULT tag=101 err=0 nentries=2 text= conn=126 fd=13 closed

Can someone point me in the right direction? It seems that su is not properly interfacing to the PADL modules as a non-root user but I have no idea where to start. I got no solution through Google...

Also, for each client, do I need to compile the entire OpenLDAP installation or is there a "libraries only" option?

Thanks!

paul o'malley, senior unix systems administrator [fly since 2003] [p] 212.944.8000 x306 [e] paul.omalley@bluefly.com