LDAP CDE/dtlogin problem

Weiping He_1 · ‎08-24-2004

I have trouble to login HP-UX 11.23 server with LDAP user account.
I can login as telnet or su from another user.
Can anybody help me?
Thanks a lot!

This is the error msg I got:
syslog: user2netname: unknown nameservice ^I^I^I^I^Ifor publickey info 'ldap'

pam.conf
login auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1 debug
login auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass debug
su auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1 debug
dtlogin auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass debug
ftp auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login account required /usr/lib/security/$ISA/libpam_ldap.so.1
su account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su account required /usr/lib/security/$ISA/libpam_ldap.so.1
ftp account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp account required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER account required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Session management
#
login session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login session required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER session required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Password management
#
login password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
passwd password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass

nsswitch.conf

passwd: files ldap
group: files ldap
hosts: ldap files dns
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: files
netgroup: files ldap
automount: files ldap
aliases: files ldap
services: files ldap

Dave Olker · ‎08-24-2004

Hi,

I looked up the code for user2netname() and this function uses the "publickey" entry in the /etc/nsswitch.conf file to convert the unix credentials to a network-name.

The fact that your current /etc/nsswitch.conf file says:

publickey: files

but the syslog entry indicates "ldap" tells me that at one time, likely at boot time, the /etc/nsswitch.conf entry for publickey probably included "ldap".

Did you modify the /etc/nsswitch.conf file to remove "ldap" from the publickey entry after the system was booted? If so, you may need to reboot the system in order to get all running processes to re-read the current nsswitch.conf file, as most processes read this file once at initialization time and then don't refer to the file again until they are restarted.

Also, I don't think many of the entries in your nsswitch.conf file are valid for "ldap". I know for a fact that AutoFS (automount entry) doesn't support LDAP.

If you look at the /etc/nsswitch.ldap file you will see which services are supported for LDAP lookups. On my 11.23 system, this file contains:

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf. It
# uses LDAP (Lightweight Directory Access Protocol) in conjunction with
# dns & files.
#

passwd: files ldap
group: files ldap
hosts: dns [NOTFOUND=return] files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: files
netgroup: files ldap
automount: files
aliases: files
services: files ldap

My recommendation is to copy the /etc/nsswitch.ldap file to /etc/nsswitch.conf and reboot the system in order to get all the running processes to use the new nsswitch.conf file. At least that would eliminate the possibility of a process using a bogus out-of-date nsswitch.conf entry that contains a reference to LDAP when it shouldn't.

Regards,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Muthukumar_5 · ‎08-24-2004

Your pam.conf file seems to be okie. But nsswitch.conf file settings are not okie on hosts entry.

hosts: ldap files dns

It will try to resolve ldap,/etc/hosts then /etc/resolv.conf files.

Resolvation of hosts are good to start with dns and files then others.

Default recommendation from LDAP product is as /etc/nsswitch.ldap file as,
hosts: dns [NOTFOUND=return] files ldap

But there is some problem will be faced on dns [NOTFOUND=return]. So it is to good to keep as,

hosts: dns files ldap

It will do now.

check hostname resolvation as,

nsquery hosts "dns files ldap"

then check now,

nsquery hosts "ldap files dns"

You will feel the change. I am also using the ldap / pam authentication,

Check it and make the appropriate change on /etc/nsswitch.conf file

Regards
Muthu

Easy to suggest when don't know about the problem!

Ermin Borovac · ‎08-24-2004

I would suggest that you add dtlogin/dtaction lines to all sections in pam.conf as per sample LDAP pam.conf (/etc/pam.ldap). These lines are used by CDE so they may be significant.

Also in session management section you seem to be missing libpam_unix.so.1 line.

OTHER session sufficient /usr/lib/security/$ISA/libpam_unix.so.1

I've included full pam.conf example below.

#
# Authentication management
#
login auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
su auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtaction auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
ftp auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
#
# Account management
#
login account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login account required /usr/lib/security/$ISA/libpam_ldap.so.1
su account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
su account required /usr/lib/security/$ISA/libpam_ldap.so.1
dtlogin account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin account required /usr/lib/security/$ISA/libpam_ldap.so.1
dtaction account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction account required /usr/lib/security/$ISA/libpam_ldap.so.1
ftp account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
ftp account required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER account required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Session management
#
login session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login session required /usr/lib/security/$ISA/libpam_ldap.so.1
dtlogin session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin session required /usr/lib/security/$ISA/libpam_ldap.so.1
dtaction session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction session required /usr/lib/security/$ISA/libpam_ldap.so.1
OTHER session sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER session required /usr/lib/security/$ISA/libpam_ldap.so.1
#
# Password management
#
login password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
login password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
passwd password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtlogin password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
dtaction password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
dtaction password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass
OTHER password sufficient /usr/lib/security/$ISA/libpam_unix.so.1
OTHER password required /usr/lib/security/$ISA/libpam_ldap.so.1 try_first_pass

Weiping He_1 · ‎08-25-2004

Thanks a lot!
I change the nsswitch.conf and pam.conf,
still no luck.
now the error msg become

Aug 25 10:29:41 syslog: unix pam_sm_authenticate(dtlogin waypin), flags = 0
Aug 25 10:29:41 syslog: perform_passwd_aging_check: 12621 12655 -1 -1
Aug 25 10:29:41 syslog: pam_acct_mgmt: error Get new authentication token
Aug 25 10:29:41 syslog: pam_acct_mgmt: error No account present for user

BTW, I created a file link in
/usr/lib/security/
from libpam_ldap.so.1 to libpam_ldap.1
-r-xr-xr-x 1 root sys 346736 Dec 15 2003 libpam_ldap.1
lrwxrwxrwx 1 root sys 15 Aug 25 10:29 libpam_ldap.so.1 -> ./libpam_ldap.1

Because the log conplains that
syslog: load_modules: can not open module /usr/lib/security/libpam_ldap.so.1

Weiping He_1 · ‎08-25-2004

This is the latest error I got.
Thanks a bunch!

Aug 25 11:34:22 hp-dual2 syslog: unix pam_sm_authenticate(dtlogin weiping), flag
s = 0
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: -1 12655
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: flags 0x0
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: 12621 -1 -1
Aug 25 11:34:22 hp-dual2 syslog: perform_passwd_aging_check: 12621 12655 -1 -1
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: error 10
Aug 25 11:34:22 hp-dual2 syslog: pam_sm_acct_mgmt: exiting, error 10
Aug 25 11:34:22 hp-dual2 syslog: pam_acct_mgmt: error Get new authentication tok
en
Aug 25 11:34:22 hp-dual2 syslog: PAM_LDAP Entering pam_sm_acct_mgmt... flags (0
)
Aug 25 11:34:22 hp-dual2 syslog: PAM_LDAP Entering new fix
Aug 25 11:34:22 hp-dual2 syslog: pam_acct_mgmt: error No account present for use

Doug Lamoureux_2 · ‎08-25-2004

Is LDAP-UX configured? Your last message shows that PAM_LDAP can not find the user account? Does:
/usr/contrib/bin/nsquery passwd ldap

return the users entry? Is this user defined in the local passwd/shadow password file as well as LDAP (looks like it is from the syslogs)?

Weiping He_1 · ‎08-25-2004

Thanks for you reply.

Yes, I did set up LDAP client.
nsquery ldap do have entries return.
LDAP users can telnet in but cannot dtlogin in.

# /usr/contrib/bin/nsquery passwd weiping ldap

Using "ldap" for the passwd policy.

Searching ldap for weiping
User name: weiping
User Id: 5556
Group Id: 15
Gecos:
Home Directory: /home/weiping
Shell: /usr/bin/tcsh

Switch configuration: Terminates Search

Ermin Borovac · ‎08-25-2004

Have you restarted dtlogin after modifying pam.conf?

/sbin/init.d/dtlogin.rc stop
/sbin/init.d/dtlogin.rc start

Weiping He_1 · ‎08-26-2004

I did restart the dtlogin. Even reboot the machine.

The problem is still there.

Aug 26 11:37:59 hp-dual2 syslog: unix pam_sm_authenticate(dtlogin weiping), flags = 0
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: -1 12656
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: flags 0x0
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 12621 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: perform_passwd_aging_check: 12621 12656 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: error 10
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: exiting, error 10
Aug 26 11:37:59 hp-dual2 syslog: pam_acct_mgmt: error Get new authentication token
Aug 26 11:37:59 hp-dual2 syslog: PAM_LDAP Entering pam_sm_acct_mgmt... flags (0)
Aug 26 11:37:59 hp-dual2 syslog: PAM_LDAP Entering new fix
Aug 26 11:37:59 hp-dual2 syslog: pam_acct_mgmt: error No account present for user

Dave Olker · ‎08-26-2004

Hi Weiping,

Does this problem happen for all users, or just the "weiping" user?

Also, what kind of shell is /usr/bin/tcsh? I don't have that shell on my 11.23 system. Just out of curiosity, have you tried using a different shell, like /usr/bin/ksh or /usr/bin/csh or /usr/bin/sh to see if this is a shell-related problem? Do you have an /etc/shells file with this non-standard shell in it?

Regards,

Dave

I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Weiping He_1 · ‎08-26-2004

Thanks,

I did try other users with
csh or ksh.
not working. :(
I also have entried in the /etc/shells.

don't know why.

Doug Lamoureux_2 · ‎08-26-2004

it looks like your user has an entry in the local /etc/passwd & shadow file as well as LDAP???:

Aug 26 11:37:59 hp-dual2 syslog: perform_passwd_aging_check: 12621 12656 -1 -1
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: 10 0 weiping
Aug 26 11:37:59 hp-dual2 syslog: pam_sm_acct_mgmt: error 10

This is logged by the pam_unix account management module, so if the user is just in ldap they should not go through this module.

Is pam_unix required for dtlogin?
What's the output of
grep ^dtlogin /etc/pam.conf

Is the dtlogin pam configuration different then others, say login:
grep ^login /etc/pam.conf

Weiping He_1 · ‎09-02-2004

Finally fixed!
According to HP technical support:
just add the following two lines to your /etc/opt/ldapux/ldapux_profile.ldif file and run /opt/ldapux/config/create_profile_cache and then restart ldapclientd daemon.

attributemap: passwd:userpassword=*NULL*
attributemap: shadow:userpassword=*NULL*

Thanks a lot for your replies!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

LDAP CDE/dtlogin problem

LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem

Re: LDAP CDE/dtlogin problem