[Date Prev][Date Next] [Chronological] [Thread] [Top]

Redhat 9 'su' doesn't work with OpenLDAP?



Hi all. 

There are more people using RH 9 w/ Openldap here than on the
'Redhat-Shrike' list, so I'm starting here with this issue. 

I'm migrating from NIS to LDAP. I'm the first guinea pig. We have a NIS
box setup still, and after running 'authconfig' on my RH 9 box and
telling it to use LDAP and not NIS, logins and ssh work, but 'su'
doesn't! I'm typing the correct password, and it appears that there are
searches being done, according to the server logs, but all I get is 'su:
incorrect password'. If I configure the machine to go back to using NIS,
all is well again, and I can 'su' on the first try :(

'su' appears to be actually binding to the ldap server as the user
you're trying to become, and here's the log output:

Aug  1 16:32:49 ldap slapd[29609]: conn=229 fd=11 ACCEPT from
IP=128.112.94.52:50117 (IP=0.0.0.0:389)
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=1 BIND dn="" method=128
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=1 RESULT tag=97 err=0
text=
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=2 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=3 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=30252))"
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=3 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=4 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=5 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=5 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug  1 16:32:49 ldap slapd[29609]: conn=229 op=5 RESULT tag=101 err=32
text=
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=6 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=6 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=6 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=7 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=7 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=7 RESULT tag=101 err=32
text=
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=8 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=posixAccount)(uid=ajonesy))"
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=8 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=8 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=9 SRCH
base="ou=People,dc=fakedomain" scope=1
filter="(&(objectClass=shadowAccount)(uid=ajonesy))"
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=9 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire
Aug  1 16:32:53 ldap slapd[29609]: conn=229 op=9 RESULT tag=101 err=32
text=
Aug  1 16:32:53 ldap slapd[29609]: conn=230 op=5 UNBIND
Aug  1 16:32:53 ldap slapd[29609]: conn=229 fd=11 closed
==============================
And here's my /etc/pam.d/system-auth file.
==============================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
                                                                                
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
                                                                                
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
                                                                                
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so


Thanks for any insight.