PAM_LDAP fails with 3.7.1p2 when Shadow password installed on HP-UX 11.11

[Darren Tucker]

Kumaresh wrote:

> We have been successfully using PAM_LDAP authentication with OpenSSH-3.6 on
> our HP-UX 11.11. When OpenSSH-3.7.1p2 is installed [with Darrens' password
> expiry patch 26], and when Shadow password bundle is installed on the
> system, our ssh authentication failed. Even, when the source is compiled
> without Darren's patch, the same bahaviour is seen and there is no success.
> 
> When Shadow password is uninstalled, LDAP auth works.

3.6x had some HP-UX specific code for the Trusted Mode case (using 
getprpwnam), and didn't use the shadow calls (getspnam).

3.7.1p2 uses the shadow calls on HPUX, but has a bug for the Trusted 
Mode case, which was fixed for 3.8p1.

Maybe the shadow password bundle + LDAP has the same problem with 3.7x 
as Trusted Mode did?

> The error in sshd side we are getting is
> "PAM: No account present for user" [please refer attached debug file]

The debug file is missing (filtered?)  This looks like an error returned 
by PAM, though, not sure why.

> I have installed OpenSSH-3.8 without any password expiry patch and that also
> works with PAM_LDAP with Shadow passwords.
> I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works.
> Both 3.7 and 3.8 have the following macros in config.h
[...]
> Is there any chance that the problem is in checking the return status of the
> PAM APIs in 3.7.1p2?

There were a few minor improvements to PAM, it's possible one of those 
makes a difference.  (PAM is something of a black box, sometimes little 
things make a difference for no apparent reason).

If 3.8p1 works properly, I wouldn't put too much effort into tracking 
down the exact cause, though...

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.