PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11
Darren Tucker
dtucker at zip.com.au
Fri Apr 2 23:33:39 EST 2004
Kumaresh wrote:
> We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on
> our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password
> expiry patch 26], and when Shadow password bundle is installed on the
> system, our ssh authentication failed. Even, when the source is compiled
> without Darren's patch, the same bahaviour is seen and there is no success.
>
> When Shadow password is uninstalled, LDAP auth works.
3.6x had some HP-UX specific code for the Trusted Mode case (using
getprpwnam), and didn't use the shadow calls (getspnam).
3.7.1p2 uses the shadow calls on HPUX, but has a bug for the Trusted
Mode case, which was fixed for 3.8p1.
Maybe the shadow password bundle + LDAP has the same problem with 3.7x
as Trusted Mode did?
> The error in sshd side we are getting is
> "PAM: No account present for user" [please refer attached debug file]
The debug file is missing (filtered?) This looks like an error returned
by PAM, though, not sure why.
> I have installed OpenSSH-3.8 without any password expiry patch and that also
> works with PAM_LDAP with Shadow passwords.
> I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works.
> Both 3.7 and 3.8 have the following macros in config.h
[...]
> Is there any chance that the problem is in checking the return status of the
> PAM APIs in 3.7.1p2?
There were a few minor improvements to PAM, it's possible one of those
makes a difference. (PAM is something of a black box, sometimes little
things make a difference for no apparent reason).
If 3.8p1 works properly, I wouldn't put too much effort into tracking
down the exact cause, though...
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list