unable to su between users with ldap tls enabled

From: Rodrick Brown (rodrick.brown@gmail.com)
Date: Wed Feb 08 2006 - 12:38:57 EST

• Next message: ray.mccaffity@usbank.com: "NIC settings in PROM?"
• Previous message: Sun Admin: "SF6800 boot stuck after OS upgrade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've created the following test users in my LDAP tree.

dn: uid=tuser,ou=People,dc=fxcorp,dc=prv
givenName: Test
cn: tuser
uidNumber: 1100
gidNumber: 1100
sn: User
homeDirectory: /export/home/tuser
loginShell: /usr/bin/bash
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: person
objectClass: top
uid: tuser
shadowLastChange: 13180
shadowFlag: 0
userPassword: {crypt}$1$dj0h0JN4$aVstglWv0MDKevftPS9Ct1

dn: uid=zuser,ou=People,dc=fxcorp,dc=prv
givenName: Zuser
cn: zuser
uidNumber: 1101
gidNumber: 1101
sn: User
homeDirectory: /export/home/zuser
loginShell: /usr/bin/bash
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: person
objectClass: top
uid: zuser
shadowLastChange: 13180
shadowFlag: 0
userPassword: {crypt}$1$dj0h0JN4$aVstglWv0MDKevftPS9Ct1

I can log into my server fine with both of these users, I create a TLS
profile which contains the following

dn: cn=tls_profile,ou=profile,dc=fxcorp,dc=prv
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 10.2.71.51
defaultSearchBase: dc=fxcorp,dc=prv
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
profileTTL: 43200
bindTimeLimit: 10
cn: tls_profile
credentialLevel: proxy
serviceSearchDescriptor: passwd: ou=People,dc=fxcorp,dc=prv?one
serviceSearchDescriptor: group: ou=group,dc=fxcorp,dc=prv?one
serviceSearchDescriptor: shadow: ou=People,dc=fxcorp,dc=prv?one
serviceSearchDescriptor: netgroup: ou=netgroup,dc=fxcorp,dc=prv?one

After binding my clients to this TLS profile i'm unable to su between users,
when using a default profile (non tls) everything works fine.

# su - tuser
$ su - zuser
Password:
su: Unknown id: zuser
$ id zuser
uid=1101(zuser) gid=1101
$ getent passwd zuser
zuser:x:1101:1101::/export/home/zuser:/usr/bin/bash

Feb 8 11:26:32 infr-prd-kdc2.qa.xxxx.com su: [ID 219349 auth.debug]
pam_unix_auth: user zuser not found
Feb 8 11:26:32 infr-prd-kdc2.qa.xxxx.com su: [ID 293258 auth.warning]
libsldap: Status: 7 Mesg: Session error no available conn.

The server and cliest is running Solaris 10, the server is Directory Sserver
5.2P4

Anyone have any ideas and what could be causing this problem?

Here is my pam.conf

#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

--
Rodrick R. Brown
Senior IT Architect
http://www.rodrickbrown.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: ray.mccaffity@usbank.com: "NIC settings in PROM?"
• Previous message: Sun Admin: "SF6800 boot stuck after OS upgrade"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:38:55 EDT