Bug 675 – Unable to enforce password on AIX when using LDAP

Bug 675 - Unable to enforce password on AIX when using LDAP


Summary:	Unable to enforce password on AIX when using LDAP

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.3
Hardware:	IBM AIX

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-11-03 07:27 MST by Francesco
Modified:	2015-03-21 19:20 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francesco 2014-11-03 07:27:00 MST

On our AIX installations is not possible to enforce password when using LDAP, the result is sudo printing "Sorry, try again." 3 times without even asking for a password. This happens only when enforcing is done via LDAP, does not happen via local configuration.

> sudo -l
Matching Defaults entries for xxx on this host:
    fqdn, listpw=never, logfile=/var/log/sudo.log

User xxx may run the following commands on this host:
    (root) /usr/bin/su -, ALL

> sudo -D 9 su - 
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=[...]
sudo: sudo_mode 1
Sorry, try again.
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
sudo: policy plugin returns -1

> sudo -V
Sudo version 1.8.3p1
Sudoers policy plugin version 1.8.3p1
Sudoers file grammar version 40
Sudoers I/O plugin version 1.8.3p1

Comment 1 Todd C. Miller 2014-11-03 09:23:32 MST

This sounds like a PAM or LAM configuration problem.  Are you using the PAM or LAM sudo package or did you compile sudo yourself?

How do you have LDAP authentication configured?  If it is via pam.conf then you need to be using the sudo PAM package.  If it is configured via the SYSTEM attribute in the registry you need to use the sudo LAM package.

My guess is that sudo is using PAM to authenticate when it needs to be using LAM.  If you build sudo yourself you will need to use the --without-pam configure option since the default is to use PAM on newer AIX versions.

Comment 2 Francesco 2014-11-03 09:25:47 MST

Its compiled, my config is:

Configure options: --enable-zlib=builtin --prefix=/usr --with-ldap=/opt/IBM/ldap/V6.1 --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --enable-static --without-sendmail --with-ldap-conf-file=/etc/sudo-ldap.conf

I will try to disable pam but i think i already tried that.

Comment 3 Todd C. Miller 2014-11-16 07:08:34 MST

Did disabling PAM change anything?  I'm hoping to add support for the auth_type setting in /etc/security/login.cfg to a future sudo release so we don't have to compile separate LAM and PAM versions.

Comment 4 Todd C. Miller 2015-03-21 19:20:12 MDT

Sudo 1.8.13 uses the value of the auth_type setting in /etc/security/login.cfg to determine whether to use LAM or PAM for user authentication unless either the --with-pam or --with-aixauth configure options are used.

If you still have a problem with 1.8.13, please reopen the bug.