Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue? (141 Views)
Reply
tng
Occasional Visitor
tng
Posts: 2
Registered: ‎10-18-2013
Message 1 of 2 (237 Views)

ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

hi

 

After the major incident  where we can't login through MP as root or any local user, because the ldap server 389-ds hang (SYN attack) and then the hpux processs ldapclientd hang as well. We need to "RS" the server at last...right now  I am still fighting with “how we can avoid this next time when ldap server/ldapclientd goes bad”.

 

I get a hint telling we can change "auth" on pam.conf,  so no matter how ldapclientd goes crazy, local logins still available.

 

I will change something on the orginal HPUX 11.31 pam.ldap, after that I will use it as pam.conf

 

1)    I change "required" to  “sufficient”  so libpam_ldap will not be called if libpam_unix successed

... 

rcomds   auth required          libpam_hpsec.so.1

rcomds   auth sufficient        libpam_unix.so.1

rcomds   auth sufficient                libpam_ldap.so.1 try_first_pass

sshd     auth required          libpam_hpsec.so.1

sshd     auth sufficient        libpam_unix.so.1

sshd     auth sufficient                libpam_ldap.so.1 try_first_pass

 ..

 

2)   But the “auth” might not be enough, when login the OS will check which tty (session realm) you use, is your password (password realm) expired, is this a local account (account realm). So I think we need to modify the other realms as well

 

e.g

su       account required       libpam_hpsec.so.1

su       account sufficient     libpam_unix.so.1

su       account sufficient       libpam_ldap.so.1

 

is this OK?

 

I attach hereby  the orginal hpux pam.ldap and my new pam. I had test it on one server and it works both for local and ldap login. I can't simulate the SYN attack (using scapy) again so I don´t really know if we can login as root through MP if this happens again.

 

Is the pam.conf.MY correct or is there anything else I overseen? does the replace of "required" given any drawbacks?

 

Please help, thanks

BR

Tuan

 

Ref:

http://archive09.linux.com/feature/113567

http://serverfault.com/questions/454625/pam-ldap-so-before-pam-unix-so-is-it-ever-possible

 

 

Please use plain text.
tng
Occasional Visitor
tng
Posts: 2
Registered: ‎10-18-2013
Message 2 of 2 (141 Views)

Re: ldapclientd hang, can't login as root from MP . ...change PAM to solve the issue?

Thanks to HP, the problem is solved by using new pam.conf and pam_user.conf, the key is the "pam_user.conf" which allow root/local user to login from MP when  ldap hang.

 

attachments are for 11.23/11.31 with TCB and 11.31 with /etc/shadow (the last one is the orginal file from HP OS).

NB: if you don't use pam access , pls remove the lines "libpam_authz.so.1"

 

yes, I surrender to learn how to deep down understand pam, my logic not work there. I leave it now to Brian at HP :-)

 

Thanks very much

Tuan

 

ps: i use "kill -STOP <slapd PID> to simulate the hang (-CONT to continue) , tips from HP

ps2:    "search time limit" set to 6s in HP profile on 389-ds server

 

 

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation