740 – Sun's pam_ldap account management is not working

Bug 740 - Sun's pam_ldap account management is not working

Summary: Sun's pam_ldap account management is not working

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	PAM support (show other bugs)
Version:	3.7.1p1
Hardware:	UltraSPARC Solaris

Importance:	P2 major
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-10-10 08:34 AEST by Anton Solovyev
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Call do_pam_account and pam_chauthtok() from authentication thread. (4.40 KB, patch) 2003-11-20 17:52 AEDT, Darren Tucker	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anton Solovyev 2003-10-10 08:34:26 AEST

Tested on Solaris 8/9 with the latest pam_ldap from Sun.

When PAM account management functions are enabled with something like:

===
other   account required        pam_ldap.so.1
===

in pam.conf no logins are possible.

Below is the pertaining section of the sshd run output with -ddd option:

===
debug3: monitor_read: checking request 52
debug3: mm_answer_pam_free_ctx
debug3: mm_request_send entering: type 53
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 44
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug2: monitor_read: 52 used once, disabling now
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: do_pam_account: pam_acct_mgmt = 9
debug3: mm_request_send entering: type 45
debug3: mm_do_pam_account returning 0
===

pam_acct_mgmt returns 9 (PAM_AUTH_ERR) even though the account is valid (not
expired, etc).

The same box works fine with the native Solaris 9 sshd, telnetd and other
services, so the account management DOES work and there is NO configuration
problems.

Comment 1 Anton Solovyev 2003-10-10 08:36:30 AEST

Oh, yes, if the "account" part is disabled in the /etc/pam.conf, it is working
fine. So, the authentication works, only the account management does not.

Comment 2 Darren Tucker 2003-11-19 23:20:50 AEDT

According to the man page, pam_ldap doesn't support account management.

$ man pam_ldap
[snip]
     The  pam_ldap.so.1  module  supports  two  components:   the
     Authentication  component  and  the Password management com-
     ponent.

Comment 3 Anton Solovyev 2003-11-20 09:26:58 AEDT

Account management most definitely works with pam_ldap. Please see native telnet
and natiive Solaris 9 ssh. The man pages ol Solaris are outdated and do not get
updates with patches.

Comment 4 Darren Tucker 2003-11-20 17:52:08 AEDT

Created attachment 504 [details]
Call do_pam_account and pam_chauthtok() from authentication thread.

Looking at this, my guess is that pam_ldap dislikes being called from a
different process than the one that called pam_authenticate.

Please try this patch, which calls do_pam_account from the authentication
thread.

It still fails on my system but that seems to be only because I don't have LDAP
set up:
testsshd[23488]: libsldap: Status: 2  Mesg: Unable to load configuration
'/var/ldap/ldap_client_file'

Comment 5 Darren Tucker 2004-01-22 20:39:53 AEDT

Attachment id #504 has been committed.  Please reopen if you have further
information.

Comment 6 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED