Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
System Administration
Showing results for 
Search instead for 
Did you mean: 

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Occasional Visitor

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?



After the major incident  where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now  I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.


I get a hint telling we can change "auth" on pam.conf,  so no matter how ldapclientd goes crazy, local logins still available.


I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf


1)    I change "required" to  “sufficient”  so libpam_ldap will not be called if libpam_unix successed


rcomds   auth required

rcomds   auth sufficient

rcomds   auth sufficient       try_first_pass

sshd     auth required

sshd     auth sufficient

sshd     auth sufficient       try_first_pass



2)   But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well



su       account required

su       account sufficient

su       account sufficient


is this OK?


I attach hereby  the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.


Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?


Please help, thanks







Occasional Visitor

Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when  ldap hang.


attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).

NB: if you don't use pam access , pls remove the lines ""


yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)


Thanks very much



ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP

ps2:    "search time limit" set to 6s in HP profile on 389-ds server