PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11
Kumaresh
kumaresh_ind at gmx.net
Fri Apr 2 21:43:05 EST 2004
Hello All,
We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on
our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password
expiry patch 26], and when Shadow password bundle is installed on the
system, our ssh authentication failed. Even, when the source is compiled
without Darren's patch, the same bahaviour is seen and there is no success.
When Shadow password is uninstalled, LDAP auth works.
The error in sshd side we are getting is
"PAM: No account present for user" [please refer attached debug file]
I have installed OpenSSH-3.8 without any password expiry patch and that also
works with PAM_LDAP with Shadow passwords.
I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works.
Both 3.7 and 3.8 have the following macros in config.h
#undef DISABLE_SHADOW
#define HAS_SHADOW_EXPIRE 1
#define HAVE_SHADOW_H 1
#define HAVE_SECURITY_PAM_APPL_H 1
#define USE_PAM 1
#define PAM_SUN_CODEBASE 1
#define HAVE_LIBPAM 1
/* #undef PAM_TTY_KLUDGE */
/* #undef HAVE_OLD_PAM */
/* #undef HAVE_PAM_GETENVLIST */
/* #undef HAVE_PAM_PUTENV */
Some more info on the PAM_LDAP library used on the system.
When Shadow password bundle is installed on the system, shadow file enable
and disable command is installed on "/usr/sbin/pwunconv" and
"/usr/sbin/pwconv". PAM_LDAP library checks this and particularly when
"/usr/sbin/pwunconv" is removed, LDAP auth works.
Is there any chance that the problem is in checking the return status of the
PAM APIs in 3.7.1p2?
I have attached the "sshd -ddd" file with this mail.
Advance thanks,
Kumaresh.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
More information about the openssh-unix-dev
mailing list