cannot use shutdown (and others) with pam_ldap

[Andreas Hasenack <andreas@conectiva.com.br>]

Hi all!

I'm currently using openldap-1.2.9 together with the latest nss_ldap and pam_ldap
and I am successfully authenticating my users. I changed a lot in the /etc/pam.d
files and think I've got it right. Almost every program which uses PAM works.
I can use su, sudo, xdm, gdm, kdm, ftp, pop3 and many others.
But the ones that use userhelper/consolehelper don't seem to work.
Only users in the /etc/passwd file can use them. With others, nothing happens:

[andreas@pandora andreas]$ shutdown
[andreas@pandora andreas]$ 

User "andreas" is only present in the ldap directory. If I do the same with an user which
is in the /etc/passwd file, the command works.
An strace results in (last lines):

ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
execve("/usr/sbin/userhelper", ["/usr/sbin/userhelper", "-t", "-w", "shutdown"], [/* 28 vars */]) = -1 EPERM (Operation not permitted)
_exit(1)                                = ?

My /etc/pam.d/shutdown:

#%PAM-1.0
auth       sufficient	/lib/security/pam_rootok.so
auth       required	/lib/security/pam_console.so
auth       sufficient	/lib/security/pam_pwdb.so
auth       required	/lib/security/pam_ldap.so use_first_pass
account    required	/lib/security/pam_permit.so

I have even changed every PAM entry in this file with a pam_permit, but it didn't seem to work.

NSS is doing its job, if I ls /home I get usernames, not UIDs. If I stop LDAP, I start
getting UIDs. I have "files ldap" in the nsswitch.conf for password, shadow and group.

Any thoughts?


-- 
Andreas Hasenack
andreas@conectiva.com.br
BIG Linux user!