- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: ldapclientd hang, can't login as root from MP ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2013 08:01 AM
10-18-2013 08:01 AM
ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?
hi
After the major incident where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.
I get a hint telling we can change "auth" on pam.conf, so no matter how ldapclientd goes crazy, local logins still available.
I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf
1) I change "required" to “sufficient” so libpam_ldap will not be called if libpam_unix successed
...
rcomds auth required libpam_hpsec.so.1
rcomds auth sufficient libpam_unix.so.1
rcomds auth sufficient libpam_ldap.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_unix.so.1
sshd auth sufficient libpam_ldap.so.1 try_first_pass
..
2) But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well
e.g
su account required libpam_hpsec.so.1
su account sufficient libpam_unix.so.1
su account sufficient libpam_ldap.so.1
is this OK?
I attach hereby the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.
Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?
Please help, thanks
BR
Tuan
Ref:
http://archive09.linux.com/feature/113567
http://serverfault.com/questions/454625/pam-ldap-so-before-pam-unix-so-is-it-ever-possible
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2014 07:21 AM
03-02-2014 07:21 AM
Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?
Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when ldap hang.
attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).
NB: if you don't use pam access , pls remove the lines "libpam_authz.so.1"
yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)
Thanks very much
Tuan
ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP
ps2: "search time limit" set to 6s in HP profile on 389-ds server