'RE: [pamldap] Bug when logging into CDE on Solaris when using pam_ldap'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    RE: [pamldap] Bug when logging into CDE on Solaris when using pam_ldap
From:       Glenn Case <ldap () glennc ! net>
Date:       2003-01-28 20:45:26
[Download RAW message or body]

I think I have this working now (I am still testing this )
But it is still a hack :-)

This was the behavior I was seeing in the dtsession crashes I was 
dealing with earlier.
(This was on Solaris 8)

The issue was introduced somewhere after pam_ldap-152 and I believe is 
the addition of the
-B group flag to the link line for pam_ldap.so which fixes a number of 
other issues but causes
a number of build time headaches (the build time issues cause dtsession 
to crash )

The solution I found that worked was to link some of the libraries 
(openldap,openssl) staticly into pam_ldap.so

When you do this remember to remove the -B group option from the link line.
    (Or else reboot single user/ restore good pam_ldap/ reboot again/ 
log in and relink again )

http://www.netsys.com/pamldap/2002/11/msg00046.html
was the hint that I recieved.

If you want openssl to compile correctly  for use with -B group you may 
need to link it differently
    http://www.netsys.com/pamldap/2002/10/msg00051.html
Describes how.

When I finally get this fully working I probably should write it up and 
post the solution to the list.

Thanks
    Glenn


 > I don't see a Solaris version number anywhere, but I'm assuming you are
 > referring to Solaris 2.8. If you are dealing with Solaris 2.7 
disregard this
 > message- 2.7 is a lost cause and is not worth dealing with.
 >
 > If memory serves, we found that one of the processes that helps 
manage CDE
 > does a segv. We solved this problem and other problems in Connexitor 
Naming
 > Services (CNS), our packaged build of pam_ and nss_ldap. If you care 
to try
 > it, you can download it at http://www.symas.net/download/connexitor/.
 >
 > -Matthew Hardin
 > Symas Corporation
 >
 >
 > > -----Original Message-----
 > > From: owner-pamldap@PADL.COM [mailto:owner-pamldap@PADL.COM]On 
Behalf Of
 > > Lance Rathbone
 > > Sent: Monday, January 27, 2003 6:21 PM
 > > To: pamldap@padl.com
 > > Subject: Re: [pamldap] Bug when logging into CDE on Solaris when using
 > > pam_ldap
 > >
 > >
 > > Mike
 > >
 > > It appears I am getting the same problem you have noted
 > > Unfortunately, none of our systems have sudo installed and this is
 > > unlikely to change.
 > >
 > > I'm wondering if the ExitSession problem occurs because something has
 > > gone wrong in the dtlogin startup sequence?
 > > I say this because:
 > > 1. When logging in as an ldap user a new .dtprofile is created each 
time
 > > 2. .dt/startlog says that DTSOURCEPROFILE is false even though the
 > > newly created .dtprofile says that it is true.
 > >
 > > This does not happen when a 'file' user logs in.
 > > I would have thought that both types of users would have been treated
 > > exactly the same in this respect.
 > >
 > >
 > >
 > > >I just sent this to someone else who asked the same question:
 > > >
 > > >  I got the CDE login working with pam_ldap and nss_ldap, but
 > > it's a hack.
 > > >I'm not proud of it, but it works.  Once I got nss_ldap working things
 > > >got better to where I could login to the CDE, but could not log out.
 > > >It would shutdown some of the processes but not all, leaving me in
 > > >the gui.  When I hit "exit" a 2nd time I would get an error message
 > > >to the effect of "tt_err_no_match: there is no running process to 
service
 > > >this request."
 > > >
 > > >I found that it was getting far enough to run the sessionexit script,
 > > >so I hacked it to run a script that kills off all of the dt processes
 > > >with the help of sudo since it requires root privileges, and now
 > > everything
 > > >works normally (from the user's perspective).  So here's the flood of
 > > >information about how I got all this working:
 > > >
 > > >-
 > > >
 > > >session exit hack (add this to /usr/dt/config/sessionexit:
 > > >
 > > ># hack to kill dt processes
 > > >     /usr/local/adm/bin/sudo /usr/local/adm/bin/kill-dt-procs
 > > >
 > > >---- end of sessionexit hack
 > > >
 > > >kill-dt-procs script:
 > > >
 > > >#!/bin/sh
 > > >#
 > > ># kill the dtlogin processes
 > > >#
 > > >PS=`/bin/ps -ef | grep dt | egrep -v 'grep' | awk '{print $2}'`
 > > >PS2=`echo $PS | sed 's/\n//g'`
 > > >
 > > >/bin/kill $PS2 >/tmp/kill-log 2>&1
 > > >
 > > >sleep 3
 > > >
 > > >/etc/init.d/dtlogin start
 > > >
 > > >---- end of kill-dt-procs script
 > > >
 > > >contents of /usr/local/etc/sudoers:
 > > >
 > > >#----------------------------------------------------------------
 > > ---------
 > > ># name of server to allow this to run on and don't require a password:
 > > ># --------\
 > > >ALL btc1.wright.edu = NOPASSWD: /usr/local/adm/bin/kill-dt-procs
 > > >
 > > >--- end of sudoers file
 > > >
 > >
 > > --
 > > =====================================
 > >
 > > Lance Rathbone BSc MCompStud
 > > Senior IT Officer
 > > Institute for Molecular Bioscience
 > > The University of Queensland
 > > Brisbane QLD 4072
 > > AUSTRALIA
 > >
 > >
 > > Tel    +61 7 3365 1289
 > > http://www.imb.uq.edu.au
 > > =====================================
 > >

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic