HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
Showing results for 
Search instead for 
Did you mean: 

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Occasional Visitor

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?



After the major incident  where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now  I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.


I get a hint telling we can change "auth" on pam.conf,  so no matter how ldapclientd goes crazy, local logins still available.


I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf


1)    I change "required" to  “sufficient”  so libpam_ldap will not be called if libpam_unix successed


rcomds   auth required          libpam_hpsec.so.1

rcomds   auth sufficient        libpam_unix.so.1

rcomds   auth sufficient                libpam_ldap.so.1 try_first_pass

sshd     auth required          libpam_hpsec.so.1

sshd     auth sufficient        libpam_unix.so.1

sshd     auth sufficient                libpam_ldap.so.1 try_first_pass



2)   But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well



su       account required       libpam_hpsec.so.1

su       account sufficient     libpam_unix.so.1

su       account sufficient       libpam_ldap.so.1


is this OK?


I attach hereby  the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.


Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?


Please help, thanks









Occasional Visitor

Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when  ldap hang.


attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).

NB: if you don't use pam access , pls remove the lines "libpam_authz.so.1"


yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)


Thanks very much



ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP

ps2:    "search time limit" set to 6s in HP profile on 389-ds server