HPE Community
Operating System - HP-UX
1820695 Members
3176 Online
109627 Solutions
New Discussion

LDAP-UX issues trying to use 389-DS - users can't login

 
Rike255
Occasional Contributor

‎11-03-2011 09:08 AM

‎11-03-2011 09:08 AM

LDAP-UX issues trying to use 389-DS - users can't login

Hello,

 

I have a 389-DS in my environment and I'm trying to setup my 11.31 HP-UX server to allow ldap logins.  I have everything configured but I get a few strange issues.

 

1. Says ldap user password is expired when it's not:

 

If I try to ssh to this user I get "Access denied" right away.  In syslog.log the error message looks like this:

Nov  3 09:58:26 ux11 sshd[3171]: error: PAM: No account present for user for tesusr from xxx

If I try to su to this user as root it works fine, but if I su as another user I get this:

---------

# su - testusr
Value of TERM has been set to "vt100".
testusr last login at xx Thu Mar 3 14:12 - 14:12 (00:00)
$

---------

$ su - testusr
Password:
su: Password for testusr has expired. Choose new password and try again
su: Sorry

 

 

No prompt to change my password or anything, it just fails.

I have another ldap user that is configured EXACTLY the same as this user, ssh login to this user works though.  I'm wondering if there's some sort of credential caching that's remembering that testusr password is expired even though it's not.  Note above the time stamp of the last login for this user even though I just created this user in my directory server.  This user used to exist locally I believe.

I have LDAP-UX Client 5.01 installed on HP-UX 11.31.

 

2. When logged in as an LDAP user if I try to reset my password I get no prompt or anything, it just doesn't work:

$ passwd
$

 

nsswitch.conf has ldap entered after passwd, shadow, group.

Here's my pam.conf file:

 

#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_unix.so.1
login auth required libpam_ldap.so.1 use_first_pass
su auth required libpam_hpsec.so.1 bypass_setaud
su auth sufficient libpam_unix.so.1
su auth required libpam_ldap.so.1 use_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_unix.so.1
dtlogin auth required libpam_ldap.so.1 use_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_unix.so.1
dtaction auth required libpam_ldap.so.1 use_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_unix.so.1
ftp auth required libpam_ldap.so.1 use_first_pass
rcomds auth required libpam_hpsec.so.1
rcomds auth sufficient libpam_unix.so.1
rcomds auth required libpam_ldap.so.1 use_first_pass
sshd auth required libpam_hpsec.so.1 debug
sshd auth sufficient libpam_unix.so.1 debug
sshd auth required libpam_ldap.so.1 use_first_pass debug
OTHER auth required libpam_hpsec.so.1
OTHER auth sufficient libpam_unix.so.1
OTHER auth required libpam_ldap.so.1 use_first_pass
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_unix.so.1
su account required libpam_ldap.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_unix.so.1
dtlogin account required libpam_ldap.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_unix.so.1
dtaction account required libpam_ldap.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_unix.so.1
ftp account required libpam_ldap.so.1
rcomds account required libpam_hpsec.so.1
rcomds account sufficient libpam_unix.so.1
rcomds account required libpam_ldap.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_unix.so.1
sshd account sufficient libpam_ldap.so.1
OTHER account required libpam_hpsec.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_unix.so.1
login session required libpam_ldap.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session sufficient libpam_unix.so.1
dtlogin session required libpam_ldap.so.1
ftp session required libpam_hpsec.so.1 bypass_limit_login bypass_umask bypass_nologin
ftp session sufficient libpam_unix.so.1
ftp session required libpam_ldap.so.1
rcomds session required libpam_hpsec.so.1 bypass_limit_login
rcomds session sufficient libpam_unix.so.1
rcomds session required libpam_ldap.so.1
sshd session required libpam_hpsec.so.1
sshd session sufficient libpam_unix.so.1
sshd session required libpam_ldap.so.1
OTHER session required libpam_hpsec.so.1
OTHER session sufficient libpam_unix.so.1
OTHER session required libpam_ldap.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_unix.so.1
login password required libpam_ldap.so.1 use_first_pass
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_unix.so.1
passwd password required libpam_ldap.so.1 use_first_pass
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_unix.so.1
dtlogin password required libpam_ldap.so.1 use_first_pass
sshd password required libpam_hpsec.so.1
sshd password sufficient libpam_unix.so.1
sshd password required libpam_ldap.so.1 use_first_pass
OTHER password required libpam_hpsec.so.1
OTHER password sufficient libpam_unix.so.1
OTHER password required libpam_ldap.so.1 use_first_pass

 

 

Thanks for the help!

Ryan

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.