Bug 740

Summary:

Sun's pam_ldap account management is not working

Product:

Portable OpenSSH

Reporter:

Anton Solovyev <solovam>

Component:

PAM support

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

major

Priority:

Version:

3.7.1p1

Hardware:

UltraSPARC

OS:

Solaris

Attachments:

Description	Flags
Call do_pam_account and pam_chauthtok() from authentication thread.	none

Description Anton Solovyev 2003-10-10 08:34:26 AEST

Tested on Solaris 8/9 with the latest pam_ldap from Sun.

When PAM account management functions are enabled with something like:

===
other   account required        pam_ldap.so.1
===

in pam.conf no logins are possible.

Below is the pertaining section of the sshd run output with -ddd option:

===
debug3: monitor_read: checking request 52
debug3: mm_answer_pam_free_ctx
debug3: mm_request_send entering: type 53
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 44
debug3: mm_request_receive_expect entering: type 45
debug3: mm_request_receive entering
debug2: monitor_read: 52 used once, disabling now
debug3: mm_request_receive_expect entering: type 44
debug3: mm_request_receive entering
debug3: do_pam_account: pam_acct_mgmt = 9
debug3: mm_request_send entering: type 45
debug3: mm_do_pam_account returning 0
===

pam_acct_mgmt returns 9 (PAM_AUTH_ERR) even though the account is valid (not
expired, etc).

The same box works fine with the native Solaris 9 sshd, telnetd and other
services, so the account management DOES work and there is NO configuration
problems.

Comment 1 Anton Solovyev 2003-10-10 08:36:30 AEST

Oh, yes, if the "account" part is disabled in the /etc/pam.conf, it is working
fine. So, the authentication works, only the account management does not.

Comment 2 Darren Tucker 2003-11-19 23:20:50 AEDT

According to the man page, pam_ldap doesn't support account management.

$ man pam_ldap
[snip]
     The  pam_ldap.so.1  module  supports  two  components:   the
     Authentication  component  and  the Password management com-
     ponent.

Comment 3 Anton Solovyev 2003-11-20 09:26:58 AEDT

Account management most definitely works with pam_ldap. Please see native telnet
and natiive Solaris 9 ssh. The man pages ol Solaris are outdated and do not get
updates with patches.

Comment 4 Darren Tucker 2003-11-20 17:52:08 AEDT

Created attachment 504 [details]
Call do_pam_account and pam_chauthtok() from authentication thread.

Looking at this, my guess is that pam_ldap dislikes being called from a
different process than the one that called pam_authenticate.

Please try this patch, which calls do_pam_account from the authentication
thread.

It still fails on my system but that seems to be only because I don't have LDAP
set up:
testsshd[23488]: libsldap: Status: 2  Mesg: Unable to load configuration
'/var/ldap/ldap_client_file'

Comment 5 Darren Tucker 2004-01-22 20:39:53 AEDT

Attachment id #504 has been committed.  Please reopen if you have further
information.

Comment 6 Damien Miller 2004-04-14 12:24:19 AEST

Mass change of RESOLVED bugs to CLOSED