System Administration
Showing results for 
Search instead for 
Did you mean: 

LDAP-UX issues trying to use 389-DS - users can't login

Occasional Contributor

LDAP-UX issues trying to use 389-DS - users can't login



I have a 389-DS in my environment and I'm trying to setup my 11.31 HP-UX server to allow ldap logins.  I have everything configured but I get a few strange issues.


1. Says ldap user password is expired when it's not:


If I try to ssh to this user I get "Access denied" right away.  In syslog.log the error message looks like this:

Nov  3 09:58:26 ux11 sshd[3171]: error: PAM: No account present for user for tesusr from xxx

If I try to su to this user as root it works fine, but if I su as another user I get this:


# su - testusr
Value of TERM has been set to "vt100".
testusr last login at xx Thu Mar 3 14:12 - 14:12 (00:00)


$ su - testusr
su: Password for testusr has expired. Choose new password and try again
su: Sorry



No prompt to change my password or anything, it just fails.

I have another ldap user that is configured EXACTLY the same as this user, ssh login to this user works though.  I'm wondering if there's some sort of credential caching that's remembering that testusr password is expired even though it's not.  Note above the time stamp of the last login for this user even though I just created this user in my directory server.  This user used to exist locally I believe.

I have LDAP-UX Client 5.01 installed on HP-UX 11.31.


2. When logged in as an LDAP user if I try to reset my password I get no prompt or anything, it just doesn't work:

$ passwd


nsswitch.conf has ldap entered after passwd, shadow, group.

Here's my pam.conf file:


# Authentication management
login auth required
login auth sufficient
login auth required use_first_pass
su auth required bypass_setaud
su auth sufficient
su auth required use_first_pass
dtlogin auth required
dtlogin auth sufficient
dtlogin auth required use_first_pass
dtaction auth required
dtaction auth sufficient
dtaction auth required use_first_pass
ftp auth required
ftp auth sufficient
ftp auth required use_first_pass
rcomds auth required
rcomds auth sufficient
rcomds auth required use_first_pass
sshd auth required debug
sshd auth sufficient debug
sshd auth required use_first_pass debug
OTHER auth required
OTHER auth sufficient
OTHER auth required use_first_pass
# Account management
login account required
login account sufficient
login account required
su account required
su account sufficient
su account required
dtlogin account required
dtlogin account sufficient
dtlogin account required
dtaction account required
dtaction account sufficient
dtaction account required
ftp account required
ftp account sufficient
ftp account required
rcomds account required
rcomds account sufficient
rcomds account required
sshd account required
sshd account sufficient
sshd account sufficient
OTHER account required
OTHER account sufficient
OTHER account required
# Session management
login session required
login session sufficient
login session required
dtlogin session required
dtlogin session sufficient
dtlogin session required
ftp session required bypass_limit_login bypass_umask bypass_nologin
ftp session sufficient
ftp session required
rcomds session required bypass_limit_login
rcomds session sufficient
rcomds session required
sshd session required
sshd session sufficient
sshd session required
OTHER session required
OTHER session sufficient
OTHER session required
# Password management
login password required
login password sufficient
login password required use_first_pass
passwd password required
passwd password sufficient
passwd password required use_first_pass
dtlogin password required
dtlogin password sufficient
dtlogin password required use_first_pass
sshd password required
sshd password sufficient
sshd password required use_first_pass
OTHER password required
OTHER password sufficient
OTHER password required use_first_pass



Thanks for the help!