pam_ldap and sudo - help if you can

Steven Romero sromero1 at emc.sema.slb.com
Thu Jul 10 15:49:55 EDT 2003 

Howard,

Yes - your crle lead was pivotal in me making this discovery about my 
system.  Thank you!.

I get the same results when I try the crle command on my system:

$ crle

Default configuration file (/var/ld/ld.config) not found
   Default Library Path (ELF):   /usr/lib  (system default)
   Trusted Directories (ELF):    /usr/lib/secure  (system default)

I've not had a chance to add another path yet, but will shortly and will 
let you know the results.

I really hope this fixes my problem.

Regards,
Steven Romero

At 11:42 AM 7/10/2003 -0700, Howard Owen wrote:
>I'm guessing that your /var/ld/ld.config has /usr/local/lib/lib in it.
>Do a 'crle' to see what's in there. At the top will be the
>default ld search path. Make sure the path contains the system locations
>first. If not, 'crle -l <colon:separated:path> will establish a new
>path. on my Solaris 9/Intel system, without any /var/ld/ld.config, crle
>returns:
>
>  Default configuration file (/var/ld/ld.config) not found
>   Default Library Path (ELF):   /usr/lib  (system default)
>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>
>After crle -l /usr/lib:/usr/local/lib, crle by with no switches returns
>
>  Configuration file [3]: /var/ld/ld.config
>   Default Library Path (ELF):   /usr/lib:/usr/local/lib
>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>
>  Command line:
>   crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib
>
>I hope I am guessing right and this is helpful.
>
>On Thu, 2003-07-10 at 07:35, Steven Romero wrote:
> > Aaron,
> >
> > Thanks for the response.  I've got debugging turned on, and pam just 
> spits out:
> >
> > load_modules: can not open module /usr/lib/security/pam_ldap.so.1
> >
> > so it seems like it can't find/read the pam_ldap module when I execute 
> sudo.
> >
> > When I do a truss the only peculiar thing that I see is:
> >
> > open("/usr/local/lib/lib/libldap.so.2", O_RDONLY) Err#2 ENOENT
> > open("/usr/lib/libldap.so.2", O_RDONLY)         Err#2 ENOENT
> >
> > which is not where my libldap.so.2 is located, so I tried to fool the
> > system by putting it in the spots that it is looking for them in, but that
> > didn't work.  I'm not sure what is telling  pam_ldap to look for them in
> > the areas noted above.
> >
> > The same thing shows up in a core file that is produced when I try to
> > telnet to the system with pam_ldap enabled for telnet:
> >
> > X/usr/local/lib/lib
> > ld.so.1: login: fatal: libldap.so.2: open failed: No such file or 
> directory
> > (YEAH I KNOW BECAUSE THAT'S NOT WHERE IT'S INSTALLED YOU *&^%$^&*#@ 
> PROGRAM!!!)
> >
> > I never applied the patch you mentioned (I think somebody narrowed it down
> > to 108993), but revision 5 of it was already installed on a newly built
> > system, so I hope that isn't what's causing this as I can't remove it:
> >
> > 108993    05        20    SunOS 5.8: LDAP2 Patch
> >
> > bash-2.03# patchrm 108993
> > Checking installed patches...
> > Patch 108993 was installed without backing up the original files.
> > It cannot be backed out.
> >
> > Somebody on the pam_ldap list suggested I investigate using crle, so I'm
> > looking into that now.
> >
> > Thanks again.  If anything here pokes anybodys' brain into a solution
> > please let me know.  In the meantime I will continue pulling out my hair,
> > and chewing on tin foil.
> >
> > Regards,
> > Steven Romero
> >
> > At 07:18 PM 7/9/2003 -0500, you wrote:
> > >Steven,
> > >
> > >There are a couple of things to check.  I can't remember anything special
> > >about
> > >the build but it was a while back when I compiled it.
> > >
> > >Here are some things to do to help debug the problem:
> > >
> > >touch /etc/pam_debug
> > >echo "auth.debug /etc/pam_debug" >> /etc/syslog.conf
> > >pkill -HUP syslogd
> > >
> > >Then do a tail -f /etc/pam_debug while doing sudo -s.  That should 
> help shed
> > >some light on things.
> > >
> > >Look over your /etc/pam.conf also.  Contrary to popular belief, you 
> don't need
> > >seperate entries for every potential application.  Pam allows you to 
> have an
> > >"other" application to pick up unnamed applications.  (Such as Sudo, 
> SSHD, and
> > >the like).
> > >
> > >Another thing you might try is as root do a 'truss sudo -s' to watch 
> what is
> > >happening.  You can then watch the system calls fly by to help debug the
> > >problem.  You will probably have to enable root to use sudo in your 
> sudoers
> > >defaults.
> > >
> > >One last thing.  Recently Sun has released a patch in their Latest 
> Recommend
> > >Patch cluster that blows up most PAM libraries.  I recommend not 
> loading it.
> > >(I cannot remember the exact patch number - sorry).  The patch is 
> intended to
> > >make Solaris 8 run like Solaris 9's native pam_ldap.  Trouble is that it
> > >munges
> > >your /etc/pam.conf pretty bad and anything linked against the older 
> libpam has
> > >to be recompiled.
> > >
> > >I hope this helps.
> > >   - Aaron
> > >
> > >I hope this all helps.
> > >
> > >  -Aaron
> > >
> > >Steven Romero wrote:
> > >
> > > > Aaron,
> > > >
> > > > Sorry to bother you, but I noticed you guys were in the process of 
> setting
> > > > up LDAP with a sudo schema.  Sounds cool, but I'm not that far 
> yet.  I'm
> > > > still haveing problems getting sudo to work with pam_ldap.
> > > >
> > > > I keep getting the following error every time I try to execute sudo 
> using
> > > > pam_ldap:
> > > >
> > > > bash-2.03$ sudo -s
> > > > sudo: pam_authenticate: Dlopen failure
> > > >
> > > > pam_ldap is working happily with ssh, so I know I my setup with 
> regards to
> > > > that subsystem is correct.
> > > >
> > > > I've checked everything I can think of (permissions, linking, shared
> > > > libraries, etc) regarding the sudo problem, but cannot figure out 
> how to
> > > > get this to work on Solaris 8.  Did you ever have this problem with 
> sudo,
> > > > or have you heard of it, and if so do you know how to get around it?
> > > >
> > > > Again, don't mean to be a pain, but I'm sort of at the end of my 
> rope here.
> > > >
> > > > Thanks again.
> > > >
> > > > Regards,
> > > > Steven Romero
> >
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
>--
>Howard Owen                      "Even if you are on the right
>EGBOK Consultants                 track, you'll get run over if you
>hbo at egbok.com    +1-650-339-5733  just sit there." - Will Rogers
>
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list