Git Product home page Git Product logo

Comments (6)

rseabra avatar rseabra commented on August 29, 2024 1

Hi,

As to the search, if it's using keydb it's not binding against OpenLDAP libs but IBM's IDS, so what makes /opt/freeware/bin/ldapsearch doesn't mean you have a properly setup environment on AIX.

Do you have your LDAP server's CA in /etc/security/ldap/ldap.kdb ?

As for compilation....oh boy...

Compilation in AIX is a real nightmare., the best guide for compilation is the rpm spec, actually, it was done with the help of a local AIX genius guy from Portugal.

Recently, however, we discovered a bug in the combination between AIX's sshd, pam, and getopt, so I've had to do a very "dirty" little change which I'm about to commit.

Sadly it's a bit of rocky road on every AIX patch, I'll try to get back at you tomorrow on that, if you don't mind.

Thanks for trying this module out! :)

Rui

from pam_ipahbac.

sophieqc avatar sophieqc commented on August 29, 2024

I tried to recompile the module and I noticed some warning this time :

        make  all-recursive
Making all in src
        gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -MT ipahbac_test-test.o -MD -MP -MF .deps/ipahbac_test-test.Tpo -c -o ipahbac_test-test.o `test -f 'test.c' || echo './'`test.c
        mv -f .deps/ipahbac_test-test.Tpo .deps/ipahbac_test-test.Po
        /bin/sh ../libtool  --tag=CC    --mode=link gcc   -g -O2 -lpam   -o ipahbac_test ipahbac_test-test.o
libtool: link: gcc -g -O2 -o ipahbac_test ipahbac_test-test.o  -lpam
        /bin/sh ../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..    -fPIC   -DLDAP_DEPRECATED -g -O2 -MT pam_ipahbac_la-pam_ipahbac.lo -MD -MP -MF .deps/pam_ipahbac_la-pam_ipahbac.Tpo -c -o pam_ipahbac_la-pam_ipahbac.lo `test -f 'pam_ipahbac.c' || echo './'`pam_ipahbac.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -fPIC -DLDAP_DEPRECATED -g -O2 -MT pam_ipahbac_la-pam_ipahbac.lo -MD -MP -MF .deps/pam_ipahbac_la-pam_ipahbac.Tpo -c pam_ipahbac.c  -fPIC -DPIC -o .libs/pam_ipahbac_la-pam_ipahbac.o
pam_ipahbac.c:34: warning: "LDAP_OPT_SUCCESS" redefined
 #define LDAP_OPT_SUCCESS LDAP_SUCCESS

In file included from pam_ipahbac.c:31:
/opt/freeware/include/ldap.h:218: note: this is the location of the previous definition
 #define LDAP_OPT_SUCCESS 0

pam_ipahbac.c: In function 'ipa_check_hbac':
pam_ipahbac.c:248:11: warning: implicit declaration of function 'ldap_ssl_client_init'; did you mean 'ldap_sync_init'? [-Wimplicit-function-declaration]
  retval = ldap_ssl_client_init(keydb, keydbpw, 0, &sslerror ) ;
           ^~~~~~~~~~~~~~~~~~~~
           ldap_sync_init
pam_ipahbac.c:255:7: warning: implicit declaration of function 'ldap_ssl_init'; did you mean 'ldap_sync_init'? [-Wimplicit-function-declaration]
  ld = ldap_ssl_init(ldapservers, 636, NULL);
       ^~~~~~~~~~~~~
       ldap_sync_init
pam_ipahbac.c:255:5: warning: assignment to 'LDAP *' {aka 'struct ldap *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
  ld = ldap_ssl_init(ldapservers, 636, NULL);
     ^
pam_ipahbac.c: In function 'pam_sm_acct_mgmt':
pam_ipahbac.c:522:28: warning: comparison between pointer and integer
     for(i=0;ldapservers[i] != NULL; i++) if ( ldapservers[i] == ',' ) ldapservers[i]=' ';
                            ^~
        mv -f .deps/pam_ipahbac_la-pam_ipahbac.Tpo .deps/pam_ipahbac_la-pam_ipahbac.Plo
        /bin/sh ../libtool  --tag=CC    --mode=link gcc  -fPIC   -DLDAP_DEPRECATED -g -O2 -module -avoid-version -shared -export-dynamic -lpam --as-needed --disable-static --shared   -o pam_ipahbac.la -rpath /usr/lib/security pam_ipahbac_la-pam_ipahbac.lo
libtool: link: `func_echo_all /usr/bin/nm -B | /usr/bin/sed -e 's/B\([^B]*\)$/P\1/'` -PCpgl  .libs/pam_ipahbac_la-pam_ipahbac.o   | awk '{ if ((($ 2 == "T") || ($ 2 == "D") || ($ 2 == "B") || ($ 2 == "W") || ($ 2 == "V") || ($ 2 == "Z")) && (substr($ 1,1,1) != ".")) { if (($ 2 == "W") || ($ 2 == "V") || ($ 2 == "Z")) { print $ 1 " weak" } else { print $ 1 } } }' | sort -u > .libs/pam_ipahbac.exp
libtool: link: rm -f -r .libs/pam_ipahbac.a.d
libtool: link: mkdir .libs/pam_ipahbac.a.d
libtool: link: gcc -shared -o .libs/pam_ipahbac.a.d/pam_ipahbac.so  .libs/pam_ipahbac_la-pam_ipahbac.o   -Wl,-blibpath:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8.3.0:/opt/freeware/lib/gcc/powerpc-ibm-aix7.2.0.0/8.3.0/../../..:/usr/lib:/lib -lpam -lc -Wl,-bnoentry `func_echo_all " -g -O2   " | /usr/bin/sed -e "s%-brtl\\([, ]\\)%-berok\\1%g"`-Wl,-bE:.libs/pam_ipahbac.exp -Wl,-berok
libtool: link: ar cru .libs/pam_ipahbac.a .libs/pam_ipahbac.a.d/pam_ipahbac.so
libtool: link: mv -f .libs/pam_ipahbac.a.d/pam_ipahbac.so .libs
libtool: link: rm -f -r .libs/pam_ipahbac.a.d
libtool: link: ( cd ".libs" && rm -f "pam_ipahbac.la" && ln -s "../pam_ipahbac.la" "pam_ipahbac.la" )
Target "all" is up to date.
Target "all-am" is up to date.

make install doesn't seems to install pam_ipahbac.so in usr

Making install in src
 ../config/install-sh -c -d '/usr/bin'
  /bin/sh ../libtool   --mode=install ../config/install-sh -c ipahbac_test '/usr/bin'
libtool: install: ../config/install-sh -c ipahbac_test /usr/bin/ipahbac_test
Target "install-exec-am" is up to date.
 ../config/install-sh -c -d '/usr/lib/security'
 /bin/sh ../libtool   --mode=install ../config/install-sh -c   pam_ipahbac.la '/usr/lib/security'
libtool: install: ../config/install-sh -c .libs/pam_ipahbac.a /usr/lib/security/pam_ipahbac.a
libtool: install: ../config/install-sh -c .libs/pam_ipahbac.lai /usr/lib/security/pam_ipahbac.la
        make  install-data-hook
        rm -f /usr/lib/security/pam_ipahbac.la
        libtool --finish /usr/lib/security
        ../config/install-sh -c -d /usr/share/doc/pam_ipahbac
        ../config/install-sh -c -m 644 sample.pam /usr/share/doc/pam_ipahbac
Target "install" is up to date.
Target "install-exec-am" is up to date.
Target "install-data-am" is up to date.
Target "install" is up to date.

from pam_ipahbac.

sophieqc avatar sophieqc commented on August 29, 2024

Thank you for the info about keydb, I didn't have much more success without it.

Yes indeed they have the ipa CA, lsldap -a passwd works, login works for idm users, I'm just missing hbac.

Waiting out to try your patch 🤞

from pam_ipahbac.

sophieqc avatar sophieqc commented on August 29, 2024

I managed to install the module correctly with the rpm and got a lot more debug, it seems like the ldaps support missing at compilation time did this lack of errors. I'm wondering if that should be a fail instead of a warning at compilation time ?

from pam_ipahbac.

sophieqc avatar sophieqc commented on August 29, 2024

This is the error I'm currently having trouble with :

pam_ipahbac[11272282]: Error initializing ssl client (113) - 408 - Unknown error

According to IBM 408 means "Keyring password is incorrect".

At first I did not use the "stashed password" as it seems optional.

sshd    account required        pam_ipahbac.so blameGetOpt -d 1 -k /etc/security/ldap/ldap.kdb -u aix -b dc=idm,dc=acme,dc=fr -P /etc/ldap.secret -l ldaps://idm01.idm.acme.fr -x /etc/hbacexclude

Then I tried to generated a stashed password with :

/usr/bin/gsk8capicmd -keydb -stashpw -db “/etc/security/ldap/ldap.kdb” -pw password

It created a ldap.sth file that I added into the pam config :

sshd    account required        pam_ipahbac.so blameGetOpt -d 1 -k /etc/security/ldap/ldap.kdb -K /etc/security/ldap/ldap.sth -u aix -b dc=idm,dc=acme,dc=fr -P /etc/ldap.secret -l ldaps://idm01.idm.acme.fr -x /etc/hbacexclude

But I still get the same error :

pam_ipahbac[11272282]: Error initializing ssl client (113) - 408 - Unknown error

Anyone already had that problem ?

from pam_ipahbac.

sophieqc avatar sophieqc commented on August 29, 2024

Okay so in the end it was just a configuration issue on my side.

I would recommend anyone in the same situation to read twice : https://github.com/rseabra/pam_ipahbac/wiki/AIX

Installing the module from the precompiled 0.0.7 rpm with "--nodeps" option and setting this in pam.conf did the trick :

sshd    account required        pam_ipahbac.so blameGetOpt -d 1 -k /etc/security/ldap/ldap.kdb -u aix -b dc=idm,dc=acme,dc=fr -p password -l ldaps://idm01.idm.acme.fr -x /etc/hbacexclude

Thank you for this module.

from pam_ipahbac.

Related Issues (2)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.