topic Re: LDAP CDE/dtlogin problem in Operating System - HP-UX

LDAP CDE/dtlogin problem

Weiping He_1 — Tue, 24 Aug 2004 21:45:51 GMT

I have trouble to login HP-UX 11.23 server with LDAP user account.
I can login as telnet or su from another user.
Can anybody help me?
Thanks a lot!

This is the error msg I got:
syslog: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

pam.conf
login auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1 debug
login auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass debug
su auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1 debug
dtlogin auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass debug
ftp auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login account required /usr/lib/security/$ISA/libpam_ldap.so.1
su account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su account required /usr/lib/security/$ISA/libpam_ldap.so.1
ftp account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp account required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER account required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Session management
#
login session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login session required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER session required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Password management
#
login password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
passwd password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass

nsswitch.conf

passwd: files ldap
group: files ldap
hosts: ldap files dns
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap

Re: LDAP CDE/dtlogin problem

Dave Olker — Tue, 24 Aug 2004 23:03:11 GMT

Hi,

I looked up the code for user2netname() and this function uses the "publickey" entry in the /etc/nsswitch.conf file to convert the unix credentials to a network-name.

The fact that your current /etc/nsswitch.conf file says:

publickey: files

but the syslog entry indicates "ldap" tells me that at one time, likely at boot time, the /etc/nsswitch.conf entry for publickey probably included "ldap".

Did you modify the /etc/nsswitch.conf file to remove "ldap" from the publickey entry after the system was booted? If so, you may need to reboot the system in order to get all running processes to re-read the current nsswitch.conf file, as most processes read this file once at initialization time and then don't refer to the file again until they are restarted.

Also, I don't think many of the entries in your nsswitch.conf file are valid for "ldap". I know for a fact that AutoFS (automount entry) doesn't support LDAP.

If you look at the /etc/nsswitch.ldap file you will see which services are supported for LDAP lookups. On my 11.23 system, this file contains:

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf. It
# uses LDAP (Lightweight Directory Access Protocol) in conjunction with
# dns & files.
#

passwd: files ldap
group: files ldap
hosts: dns [NOTFOUND=return] files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: files
netgroup: files ldap
automount: files
aliases: files
services: files ldap

My recommendation is to copy the /etc/nsswitch.ldap file to /etc/nsswitch.conf and reboot the system in order to get all the running processes to use the new nsswitch.conf file. At least that would eliminate the possibility of a process using a bogus out-of-date nsswitch.conf entry that contains a reference to LDAP when it shouldn't.

Regards,

Dave

Re: LDAP CDE/dtlogin problem

Muthukumar_5 — Tue, 24 Aug 2004 23:13:30 GMT

Your pam.conf file seems to be okie. But nsswitch.conf file settings are not okie on hosts entry.

hosts: ldap files dns

It will try to resolve ldap,/etc/hosts then /etc/resolv.conf files.

Resolvation of hosts are good to start with dns and files then others.

Default recommendation from LDAP product is as /etc/nsswitch.ldap file as,
hosts: dns [NOTFOUND=return] files ldap

But there is some problem will be faced on dns [NOTFOUND=return]. So it is to good to keep as,

hosts: dns files ldap

It will do now.

check hostname resolvation as,

nsquery hosts "dns files ldap"

then check now,

nsquery hosts "ldap files dns"

You will feel the change. I am also using the ldap / pam authentication,

Check it and make the appropriate change on /etc/nsswitch.conf file

Regards
Muthu

Re: LDAP CDE/dtlogin problem

Ermin Borovac — Wed, 25 Aug 2004 00:38:58 GMT

I would suggest that you add dtlogin/dtaction lines to all sections in pam.conf as per sample LDAP pam.conf (/etc/pam.ldap). These lines are used by CDE so they may be significant.

Also in session management section you seem to be missing libpam_unix.so.1 line.

OTHER session sufficient /usr/lib/security/$ISA/libpam_unix.so.1

I've included full pam.conf example below.

#
# Authentication management
#
login auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
su auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtaction auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
ftp auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login account required /usr/lib/security/$ISA/libpam_ldap.so.1
su account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su account required /usr/lib/security/$ISA/libpam_ldap.so.1
dtlogin account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin account required /usr/lib/security/$ISA/libpam_ldap.so.1
dtaction account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction account required /usr/lib/security/$ISA/libpam_ldap.so.1
ftp account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp account required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER account required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Session management
#
login session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login session required /usr/lib/security/$ISA/libpam_ldap.so.1
dtlogin session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin session required /usr/lib/security/$ISA/libpam_ldap.so.1
dtaction session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction session required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER session required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Password management
#
login password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
passwd password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtaction password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Wed, 25 Aug 2004 09:36:06 GMT

Thanks a lot!
I change the nsswitch.conf and pam.conf,
still no luck.
now the error msg become

Aug 25 10:29:41 syslog: unix pam_sm_authenticate(dtlogin waypin), flags = 0
Aug 25 10:29:41 syslog: perform_passwd_aging_check: 12621 12655 -1 -1
Aug 25 10:29:41 syslog: pam_acct_mgmt: error Get new authentication token
Aug 25 10:29:41 syslog: pam_acct_mgmt: error No account present for user

BTW, I created a file link in
/usr/lib/security/
from libpam_ldap.so.1 to libpam_ldap.1
-r-xr-xr-x 1 root sys 346736 Dec 15 2003 libpam_ldap.1
lrwxrwxrwx 1 root sys 15 Aug 25 10:29 libpam_ldap.so.1 -> ./libpam_ldap.1

Because the log conplains that
syslog: load_modules: can not open module /usr/lib/security/libpam_ldap.so.1

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Wed, 25 Aug 2004 10:34:33 GMT

This is the latest error I got.
Thanks a bunch!

Aug 25 11:34:22 hp-dual2 syslog: unix pam_sm_authenticate(dtlogin weiping), flag
s = 0
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: -1 12655
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: flags 0x0
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: 12621 -1 -1
Aug 25 11:34:22 hp-dual2 syslog: perform_passwd_aging_check: 12621 12655 -1 -1
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: error 10
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: exiting, error 10
Aug 25 11:34:22 hp-dual2 syslog: pam_acct_mgmt: error Get new authentication tok
en
Aug 25 11:34:22 hp-dual2 syslog: PAM_LDAP Entering pam_sm_acct_mgmt... flags (0
)
Aug 25 11:34:22 hp-dual2 syslog: PAM_LDAP Entering new fix
Aug 25 11:34:22 hp-dual2 syslog: pam_acct_mgmt: error No account present for use

Re: LDAP CDE/dtlogin problem

Doug Lamoureux_2 — Wed, 25 Aug 2004 17:57:36 GMT

Is LDAP-UX configured? Your last message shows that PAM_LDAP can not find the user account? Does:
/usr/contrib/bin/nsquery passwd ldap

return the users entry? Is this user defined in the local passwd/shadow password file as well as LDAP (looks like it is from the syslogs)?

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Wed, 25 Aug 2004 20:50:11 GMT

Thanks for you reply.

Yes, I did set up LDAP client.
nsquery ldap do have entries return.
LDAP users can telnet in but cannot dtlogin in.

# /usr/contrib/bin/nsquery passwd weiping ldap

Using "ldap" for the passwd policy.

Searching ldap for weiping
User name: weiping
User Id: 5556
Group Id: 15
Gecos:
Home Directory: /home/weiping
Shell: /usr/bin/tcsh

Switch configuration: Terminates Search

Re: LDAP CDE/dtlogin problem

Ermin Borovac — Wed, 25 Aug 2004 21:13:38 GMT

Have you restarted dtlogin after modifying pam.conf?

/sbin/init.d/dtlogin.rc stop
/sbin/init.d/dtlogin.rc start

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Thu, 26 Aug 2004 10:39:22 GMT

I did restart the dtlogin. Even reboot the machine.

The problem is still there.

Aug 26 11:37:59 hp-dual2 syslog: unix pam_sm_authenticate(dtlogin weiping), flags = 0
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: -1 12656
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: flags 0x0
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 12621 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: perform_passwd_aging_check: 12621 12656 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: error 10
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: exiting, error 10
Aug 26 11:37:59 hp-dual2 syslog: pam_acct_mgmt: error Get new authentication token
Aug 26 11:37:59 hp-dual2 syslog: PAM_LDAP Entering pam_sm_acct_mgmt... flags (0)
Aug 26 11:37:59 hp-dual2 syslog: PAM_LDAP Entering new fix
Aug 26 11:37:59 hp-dual2 syslog: pam_acct_mgmt: error No account present for user

Re: LDAP CDE/dtlogin problem

Dave Olker — Thu, 26 Aug 2004 10:44:10 GMT

Hi Weiping,

Does this problem happen for all users, or just the "weiping" user?

Also, what kind of shell is /usr/bin/tcsh? I don't have that shell on my 11.23 system. Just out of curiosity, have you tried using a different shell, like /usr/bin/ksh or /usr/bin/csh or /usr/bin/sh to see if this is a shell-related problem? Do you have an /etc/shells file with this non-standard shell in it?

Regards,

Dave

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Thu, 26 Aug 2004 13:09:57 GMT

Thanks,

I did try other users with
csh or ksh.
not working. :(
I also have entried in the /etc/shells.

don't know why.

Re: LDAP CDE/dtlogin problem

Doug Lamoureux_2 — Thu, 26 Aug 2004 14:13:12 GMT

it looks like your user has an entry in the local /etc/passwd & shadow file as well as LDAP???:

Aug 26 11:37:59 hp-dual2 syslog: perform_passwd_aging_check: 12621 12656 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: error 10

This is logged by the pam_unix account management module, so if the user is just in ldap they should not go through this module.

Is pam_unix required for dtlogin?
What's the output of
grep ^dtlogin /etc/pam.conf

Is the dtlogin pam configuration different then others, say login:
grep ^login /etc/pam.conf

Re: LDAP CDE/dtlogin problem

Weiping He_1 — Thu, 02 Sep 2004 16:48:45 GMT

Finally fixed!
According to HP technical support:
just add the following two lines to your /etc/opt/ldapux/ldapux_profile.ldif file and run /opt/ldapux/config/create_profile_cache and then restart ldapclientd daemon.

attributemap: passwd:userpassword=*NULL*
attributemap: shadow:userpassword=*NULL*

Thanks a lot for your replies!