General discussion


RH Linux, eDirectory & 3rd party apps

By roger.lacroix ·
A little help please,

A large mid-west US utility is using RedHat Linux and eDirectory successfully. The setup is RedHat 7.2 and openldap-clients-2.0.27-2.7.3 (they are not running a Novell Client on the Linux servers). They have it setup to send the password in clear-text. They can successfully log onto the box using UserIDs & passwords that are in eDirectory

On the RH Linux server they are running WebSphere MQ v5.3 and they decided to purchase Capitalware's security product called: MQ Authenticate User Security Exit (MQAUSX). MQAUSX fully authenticates a user who is accessing a WebSphere MQ resource. It verifies the User's UserID and Password against the server's native OS UserID/password management system.

MQAUSX follows the standard Linux security principles of (1) using getspnam() function to retrieve the 'spwd' structure information, (2) use crypt to encrypt the incoming user's password and (3) compare the 2 encrypted passwords. (Yes, the executable has the user ownership as root and the user sticky bit is set.)

If the UserID and password are local to the RH Linux box then everything works fine (as expected and well tested).

But if the UserID and password are in eDirectory then the password returned by getspnam() is always 'x' (a single character 'x'). I have tried getpwnam(),getspent() and getpwent() functions but all of them return a password of 'x'.

On the eDirectory server, maybe the RH Linux server is not 'trusted' to lookup the password?? Or maybe the application is not 'trusted' to lookup the password??

The reason I think it is a 'trusted' issue is that getspnam() and the other functions return successfully but the password field is filled with an 'x'. Here's a discussion of Linux, PAM, LDAP and the password field containing an 'x':

Plus it actually states it in the RFC 2307. At the very bottom of section 5.3, it talks about DUA (directory user agent) returning an 'x':

Help Please:
So, I just need to figure out what parameter / setting / conf / property file that will allow the ldap client (DUA) to do the password lookup.
Any and all help is much appreciated.

Roger Lacroix
Capitalware Inc.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by jmgarvin In reply to RH Linux, eDirectory & 3r ...

A lot of stuff could be going wrong here. I would guess that something isn't configured properly with PAM.

Your best bet is to drop RH7.x and move up to a supported version. You are running so many old packages it might be hard to track down the actual problem.

Related Discussions

Related Forums