-   Linux - Newbie (
-   -   su not giving proper message for restricted LDAP groups (

skimeer 10-12-2012 09:41 AM

su not giving proper message for restricted LDAP groups

I have configured PAM authentication on linux box to restrict particular group only to login.

I have enabled pam and ldap through authconfig and modified access.conf like below,


[root@test root]# tail -1 /etc/security/access.conf
- : ALL EXCEPT root test-auth : ALL

Also modified sudoers file, to get su for this group


[root@test ~]# tail -1 /etc/sudoers
%test-auth              ALL=/bin/su

Now, only this ldap group members can login to system.

However when from any of this authorised user, I tried for su, it asks for password and then though I enter correct passwoord it gives message like Incorrect password and login failed.

/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.

My functionality is working but its no giveing proper messages.Could anyone please help on this.

My /etc/pam.d/su file,


[root@test root]# cat /etc/pam.d/su
auth            sufficient
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth          sufficient trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth          required use_uid
auth            include        system-auth
account        sufficient uid = 0 use_uid quiet
account        include        system-auth
password        include        system-auth
session        include        system-auth
session        optional

uk.engr 10-13-2012 02:43 AM

Dear I am new to LDAP can please let me know easy way to configure LDAP

skimeer 10-13-2012 01:41 PM

Hi uk.engr,

Below link will help you in openldap configuration.

skimeer 10-15-2012 05:36 AM

Does anyone has solution for my actual question

Matthew Hardin 10-15-2012 07:45 PM

Hey Skimeer,

Several different pieces are in play here. Being that you can at least login using an LDAP account, I'd venture a guess that the LDAP server is at least configured correctly. We'll also need to see your system-auth file to see what it's doing. Then it may be off to other places as well.

One thing you might want to do is restart the LDAP server from the command line in debug mode and watch what happens when you run the su command. that will probably provide the most information. You might start with -1 (produces a LOT of output) and back off from there. Sometimes 256 is a good value as well, as it only displays operations and not much else.

Hope this helps,


Matthew Hardin
Symas - The LDAP Guys

skimeer 10-15-2012 10:25 PM

Hey Matt,

I will test with restarting LDAP service. Meanwhile this is my system-auth


[root@test ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required

account    required broken_shadow
account    sufficient uid < 500 quiet
account    [default=bad success=ok user_unknown=ignore]
account    required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session    optional revoke
session    required
session    [success=1 default=ignore] service in crond quiet use_uid
session    required
session    optional

Matthew Hardin 10-15-2012 11:01 PM

Hi Skimeer,

I don't see anything the matter there, but get your database cleaned up (see my reply to your group lookup problem) and then see what works and what doesn't.



Matthew Hardin
Symas - The LDAP Guys

skimeer 10-16-2012 12:27 AM

Hi Matt,

Backup/Restore did not resolve this issue.

what I have observed that,when I tried to su for unauthorized users. It gives access denied message in /var/log/secure


Oct 16 06:50:12 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
Oct 16 06:50:47 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'

However, I guess this should be printed just when I try for su with user kalpana.

Is there any way to handle messages before login for LDAP users through PAM files

Matthew Hardin 10-16-2012 02:21 PM

Hmm. It was late last night and I was thinking sudo, not su.

The su command works like this: If you type the target user's password, then su will authorize you for that id and either run the command you specified after -c or present you with a shell prompt. If you don't know the password, then it simply says "Sorry" and returns you to your original shall prompt. You'll also see a message in the log like the one you showed above.

The apparent exceptions in /etc/pam.d/su, but commented out in your example, are for members of group "wheel". One will implicitly trust members of that group, and the other will require that a user be a member of that group in order to succeed, even if the correct password is entered. Since they are commented out, neither of those cases will apply.

Is su behaving this way for both local and LDAP users? (maybe show the output so we can understand better if this is not the case)



Matthew Hardin
Symas - The LDAP Guys

skimeer 10-17-2012 07:02 AM

Hi Matt,

Now I have added local user named tester. Now this user is also denied access, using PAM configuration as above.


[skimeer@test root]$ su tester
su: incorrect password
[skimeer@test root]$

Log (/var/log/secure) shows,


Oct 17 13:21:30 localhost useradd[32237]: new group: name=tester, GID=10126
Oct 17 13:21:30 localhost useradd[32237]: new user: name=tester, UID=10126, GID=10126, home=/home/tester, shell=/bin/bash
Oct 17 13:21:45 localhost passwd: pam_unix(passwd:chauthtok): password changed for tester
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_unix(su:session): session opened for user svaidya by root(uid=0)
Oct 17 13:22:04 localhost su: pam_access(su:account): access denied for user `tester' from `pts/3'

Hence there is no difference for LDAP users and Local users. I guess something we can play around su configuration to modify these messages. Mainly something for pam_access.

skimeer 10-29-2012 08:39 AM

Any one has comment on this...I am still struggling to get this resolved.

skimeer 11-05-2012 11:23 PM

I just checked with for single group only,In that case if I try for su. It gives proper message "like user must be member of x group"

Is there any restriction on using multiple groups.

skimeer 12-14-2012 08:19 AM

Could anyone please help me out in this.

All times are GMT -5. The time now is 07:10 PM.