pam_ldap and sudo - help if you can

Aaron Spangler as at
Wed Jul 9 20:18:14 EDT 2003


There are a couple of things to check.  I can't remember anything special about
the build but it was a while back when I compiled it.

Here are some things to do to help debug the problem:

touch /etc/pam_debug
echo "auth.debug /etc/pam_debug" >> /etc/syslog.conf
pkill -HUP syslogd

Then do a tail -f /etc/pam_debug while doing sudo -s.  That should help shed
some light on things.

Look over your /etc/pam.conf also.  Contrary to popular belief, you don't need
seperate entries for every potential application.  Pam allows you to have an
"other" application to pick up unnamed applications.  (Such as Sudo, SSHD, and
the like).

Another thing you might try is as root do a 'truss sudo -s' to watch what is
happening.  You can then watch the system calls fly by to help debug the
problem.  You will probably have to enable root to use sudo in your sudoers

One last thing.  Recently Sun has released a patch in their Latest Recommend
Patch cluster that blows up most PAM libraries.  I recommend not loading it.
(I cannot remember the exact patch number - sorry).  The patch is intended to
make Solaris 8 run like Solaris 9's native pam_ldap.  Trouble is that it munges
your /etc/pam.conf pretty bad and anything linked against the older libpam has
to be recompiled.

I hope this helps.
  - Aaron

I hope this all helps.


Steven Romero wrote:

> Aaron,
> Sorry to bother you, but I noticed you guys were in the process of setting
> up LDAP with a sudo schema.  Sounds cool, but I'm not that far yet.  I'm
> still haveing problems getting sudo to work with pam_ldap.
> I keep getting the following error every time I try to execute sudo using
> pam_ldap:
> bash-2.03$ sudo -s
> sudo: pam_authenticate: Dlopen failure
> pam_ldap is working happily with ssh, so I know I my setup with regards to
> that subsystem is correct.
> I've checked everything I can think of (permissions, linking, shared
> libraries, etc) regarding the sudo problem, but cannot figure out how to
> get this to work on Solaris 8.  Did you ever have this problem with sudo,
> or have you heard of it, and if so do you know how to get around it?
> Again, don't mean to be a pain, but I'm sort of at the end of my rope here.
> Thanks again.
> Regards,
> Steven Romero

More information about the sudo-users mailing list