Operating System - HP-UX
1748288 Members
3331 Online
108761 Solutions
New Discussion

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

 
tng
Occasional Visitor

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

hi

 

After the major incident  where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now  I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.

 

I get a hint telling we can change "auth" on pam.conf,  so no matter how ldapclientd goes crazy, local logins still available.

 

I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf

 

1)    I change "required" to  “sufficient”  so libpam_ldap will not be called if libpam_unix successed

... 

rcomds   auth required          libpam_hpsec.so.1

rcomds   auth sufficient        libpam_unix.so.1

rcomds   auth sufficient                libpam_ldap.so.1 try_first_pass

sshd     auth required          libpam_hpsec.so.1

sshd     auth sufficient        libpam_unix.so.1

sshd     auth sufficient                libpam_ldap.so.1 try_first_pass

 ..

 

2)   But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well

 

e.g

su       account required       libpam_hpsec.so.1

su       account sufficient     libpam_unix.so.1

su       account sufficient       libpam_ldap.so.1

 

is this OK?

 

I attach hereby  the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.

 

Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?

 

Please help, thanks

BR

Tuan

 

Ref:

http://archive09.linux.com/feature/113567

http://serverfault.com/questions/454625/pam-ldap-so-before-pam-unix-so-is-it-ever-possible

 

 

1 REPLY 1
tng
Occasional Visitor

Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when  ldap hang.

 

attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).

NB: if you don't use pam access , pls remove the lines "libpam_authz.so.1"

 

yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)

 

Thanks very much

Tuan

 

ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP

ps2:    "search time limit" set to 6s in HP profile on 389-ds server