EUREKA - sudo and pam_ldap work!

Steven Romero sromero1 at emc.sema.slb.com
Thu Jul 10 23:49:21 EDT 2003 

All,

Woo-hoo!  I got it working!

Thanks everyone, especially Howard Owen who suggested using crle.  This did 
help me understand the problem much, much better.  What a great, great tool!

So the problem was the RPATH defined for pam_ldap and nss_ldap was not 
defined correctly at build time for some reason.  I don't know why though 
as I compiled it with basic stuff:

         ./configure --with-ldap-lib=openldap 
--with-ldap-dir=/usr/local/lib  (maybe I shouldn't have included the ./lib 
part of /usr/local/lib ????)

Anyway by using truss, crle, and ldd -s I got this puppy sorted out.  After 
doing:

         crle -l 
/usr/lib:/usr/local/lib:/usr/local/ssl/lib:/usr/lib/security (and thus 
creating my /var/ld/ld.config file)

I still had problems.  So I trussed sudo as root and found:

         17763:  stat64("/usr/lib/pam_ldap.so.1", 0xFFBEFA18)    Err#2 
ENOENT  (HUH?!?!)

So why is sudo looking for pam_ldap.so.1 there?  Don't know, don't care 
(although based on my ld.config it should search everywhere I declared 
right??).  Anyway I put in a symlink:

         ln -s /usr/lib/security/pam_ldap.so.1 /usr/lib/pam_ldap.so.1

and truss started to behave:

         17790:  stat64("/usr/lib/pam_ldap.so.1", 0xFFBEF998)    = 0
         17790:  open("/usr/lib/pam_ldap.so.1", O_RDONLY)        = 5

Now sudo works!!  And so does telnet!!  They were the same problem.  Now I 
will tackle the LDAP schema for sudo!!

Thanks everyone, and have a great weekend!

Regards,
Steven Romero

>Date: Thu, 10 Jul 2003 14:49:55 -0500
>To: Howard Owen <hbo at egbok.com>, sudo-users at sudo.ws, pamldap at padl.com
>From: Steven Romero <sromero1 at emc.sema.slb.com>
>Subject: Re: pam_ldap and sudo - help if you can
>
>Howard,
>
>Yes - your crle lead was pivotal in me making this discovery about my 
>system.  Thank you!.
>
>I get the same results when I try the crle command on my system:
>
>$ crle
>
>Default configuration file (/var/ld/ld.config) not found
>   Default Library Path (ELF):   /usr/lib  (system default)
>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>
>I've not had a chance to add another path yet, but will shortly and will 
>let you know the results.
>
>I really hope this fixes my problem.
>
>Regards,
>Steven Romero
>
>At 11:42 AM 7/10/2003 -0700, Howard Owen wrote:
>>I'm guessing that your /var/ld/ld.config has /usr/local/lib/lib in it.
>>Do a 'crle' to see what's in there. At the top will be the
>>default ld search path. Make sure the path contains the system locations
>>first. If not, 'crle -l <colon:separated:path> will establish a new
>>path. on my Solaris 9/Intel system, without any /var/ld/ld.config, crle
>>returns:
>>
>>  Default configuration file (/var/ld/ld.config) not found
>>   Default Library Path (ELF):   /usr/lib  (system default)
>>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>>
>>After crle -l /usr/lib:/usr/local/lib, crle by with no switches returns
>>
>>  Configuration file [3]: /var/ld/ld.config
>>   Default Library Path (ELF):   /usr/lib:/usr/local/lib
>>   Trusted Directories (ELF):    /usr/lib/secure  (system default)
>>
>>  Command line:
>>   crle -c /var/ld/ld.config -l /usr/lib:/usr/local/lib
>>
>>I hope I am guessing right and this is helpful.
>>
>>On Thu, 2003-07-10 at 07:35, Steven Romero wrote:
>> > Aaron,
>> >
>> > Thanks for the response.  I've got debugging turned on, and pam just 
>> spits out:
>> >
>> > load_modules: can not open module /usr/lib/security/pam_ldap.so.1
>> >
>> > so it seems like it can't find/read the pam_ldap module when I execute 
>> sudo.
>> >
>> > When I do a truss the only peculiar thing that I see is:
>> >
>> > open("/usr/local/lib/lib/libldap.so.2", O_RDONLY) Err#2 ENOENT
>> > open("/usr/lib/libldap.so.2", O_RDONLY)         Err#2 ENOENT
>> >
>> > which is not where my libldap.so.2 is located, so I tried to fool the
>> > system by putting it in the spots that it is looking for them in, but 
>> that
>> > didn't work.  I'm not sure what is telling  pam_ldap to look for them in
>> > the areas noted above.
>> >
>> > The same thing shows up in a core file that is produced when I try to
>> > telnet to the system with pam_ldap enabled for telnet:
>> >
>> > X/usr/local/lib/lib
>> > ld.so.1: login: fatal: libldap.so.2: open failed: No such file or 
>> directory
>> > (YEAH I KNOW BECAUSE THAT'S NOT WHERE IT'S INSTALLED YOU *&^%$^&*#@ 
>> PROGRAM!!!)
>> >
>> > I never applied the patch you mentioned (I think somebody narrowed it 
>> down
>> > to 108993), but revision 5 of it was already installed on a newly built
>> > system, so I hope that isn't what's causing this as I can't remove it:
>> >
>> > 108993    05        20    SunOS 5.8: LDAP2 Patch
>> >
>> > bash-2.03# patchrm 108993
>> > Checking installed patches...
>> > Patch 108993 was installed without backing up the original files.
>> > It cannot be backed out.
>> >
>> > Somebody on the pam_ldap list suggested I investigate using crle, so I'm
>> > looking into that now.
>> >
>> > Thanks again.  If anything here pokes anybodys' brain into a solution
>> > please let me know.  In the meantime I will continue pulling out my hair,
>> > and chewing on tin foil.
>> >
>> > Regards,
>> > Steven Romero
>> >
>> > At 07:18 PM 7/9/2003 -0500, you wrote:
>> > >Steven,
>> > >
>> > >There are a couple of things to check.  I can't remember anything 
>> special
>> > >about
>> > >the build but it was a while back when I compiled it.
>> > >
>> > >Here are some things to do to help debug the problem:
>> > >
>> > >touch /etc/pam_debug
>> > >echo "auth.debug /etc/pam_debug" >> /etc/syslog.conf
>> > >pkill -HUP syslogd
>> > >
>> > >Then do a tail -f /etc/pam_debug while doing sudo -s.  That should 
>> help shed
>> > >some light on things.
>> > >
>> > >Look over your /etc/pam.conf also.  Contrary to popular belief, you 
>> don't need
>> > >seperate entries for every potential application.  Pam allows you to 
>> have an
>> > >"other" application to pick up unnamed applications.  (Such as Sudo, 
>> SSHD, and
>> > >the like).
>> > >
>> > >Another thing you might try is as root do a 'truss sudo -s' to watch 
>> what is
>> > >happening.  You can then watch the system calls fly by to help debug the
>> > >problem.  You will probably have to enable root to use sudo in your 
>> sudoers
>> > >defaults.
>> > >
>> > >One last thing.  Recently Sun has released a patch in their Latest 
>> Recommend
>> > >Patch cluster that blows up most PAM libraries.  I recommend not 
>> loading it.
>> > >(I cannot remember the exact patch number - sorry).  The patch is 
>> intended to
>> > >make Solaris 8 run like Solaris 9's native pam_ldap.  Trouble is that it
>> > >munges
>> > >your /etc/pam.conf pretty bad and anything linked against the older 
>> libpam has
>> > >to be recompiled.
>> > >
>> > >I hope this helps.
>> > >   - Aaron
>> > >
>> > >I hope this all helps.
>> > >
>> > >  -Aaron
>> > >
>> > >Steven Romero wrote:
>> > >
>> > > > Aaron,
>> > > >
>> > > > Sorry to bother you, but I noticed you guys were in the process of 
>> setting
>> > > > up LDAP with a sudo schema.  Sounds cool, but I'm not that far 
>> yet.  I'm
>> > > > still haveing problems getting sudo to work with pam_ldap.
>> > > >
>> > > > I keep getting the following error every time I try to execute 
>> sudo using
>> > > > pam_ldap:
>> > > >
>> > > > bash-2.03$ sudo -s
>> > > > sudo: pam_authenticate: Dlopen failure
>> > > >
>> > > > pam_ldap is working happily with ssh, so I know I my setup with 
>> regards to
>> > > > that subsystem is correct.
>> > > >
>> > > > I've checked everything I can think of (permissions, linking, shared
>> > > > libraries, etc) regarding the sudo problem, but cannot figure out 
>> how to
>> > > > get this to work on Solaris 8.  Did you ever have this problem 
>> with sudo,
>> > > > or have you heard of it, and if so do you know how to get around it?
>> > > >
>> > > > Again, don't mean to be a pain, but I'm sort of at the end of my 
>> rope here.
>> > > >
>> > > > Thanks again.
>> > > >
>> > > > Regards,
>> > > > Steven Romero
>> >
>> >
>> > ____________________________________________________________
>> > sudo-users mailing list <sudo-users at sudo.ws>
>> > For list information, options, or to unsubscribe, visit:
>> > http://www.sudo.ws/mailman/listinfo/sudo-users
>>--
>>Howard Owen                      "Even if you are on the right
>>EGBOK Consultants                 track, you'll get run over if you
>>hbo at egbok.com    +1-650-339-5733  just sit there." - Will Rogers
>>
>>____________________________________________________________
>>sudo-users mailing list <sudo-users at sudo.ws>
>>For list information, options, or to unsubscribe, visit:
>>http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list