Bug 675

Summary: Unable to enforce password on AIX when using LDAP
Product: Sudo Reporter: Francesco <johnuopini>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: low    
Version: 1.8.3   
Hardware: IBM   
OS: AIX   

Description Francesco 2014-11-03 07:27:00 MST 
On our AIX installations is not possible to enforce password when using LDAP, the result is sudo printing "Sorry, try again." 3 times without even asking for a password. This happens only when enforcing is done via LDAP, does not happen via local configuration.

> sudo -l
Matching Defaults entries for xxx on this host:
    fqdn, listpw=never, logfile=/var/log/sudo.log

User xxx may run the following commands on this host:
    (root) /usr/bin/su -, ALL

> sudo -D 9 su - 
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=[...]
sudo: sudo_mode 1
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
sudo: policy plugin returns -1

> sudo -V
Sudo version 1.8.3p1
Sudoers policy plugin version 1.8.3p1
Sudoers file grammar version 40
Sudoers I/O plugin version 1.8.3p1
Comment 1 Todd C. Miller 2014-11-03 09:23:32 MST 
This sounds like a PAM or LAM configuration problem.  Are you using the PAM or LAM sudo package or did you compile sudo yourself?

How do you have LDAP authentication configured?  If it is via pam.conf then you need to be using the sudo PAM package.  If it is configured via the SYSTEM attribute in the registry you need to use the sudo LAM package.

My guess is that sudo is using PAM to authenticate when it needs to be using LAM.  If you build sudo yourself you will need to use the --without-pam configure option since the default is to use PAM on newer AIX versions.
Comment 2 Francesco 2014-11-03 09:25:47 MST 
Its compiled, my config is:

Configure options: --enable-zlib=builtin --prefix=/usr --with-ldap=/opt/IBM/ldap/V6.1 --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --enable-static --without-sendmail --with-ldap-conf-file=/etc/sudo-ldap.conf

I will try to disable pam but i think i already tried that.
Comment 3 Todd C. Miller 2014-11-16 07:08:34 MST 
Did disabling PAM change anything?  I'm hoping to add support for the auth_type setting in /etc/security/login.cfg to a future sudo release so we don't have to compile separate LAM and PAM versions.
Comment 4 Todd C. Miller 2015-03-21 19:20:12 MDT 
Sudo 1.8.13 uses the value of the auth_type setting in /etc/security/login.cfg to determine whether to use LAM or PAM for user authentication unless either the --with-pam or --with-aixauth configure options are used.

If you still have a problem with 1.8.13, please reopen the bug.