OES 2 SP2/SP3, clustered or multi-instance pure-ftpd stops authenticating after a pure-ftpd update

  • 7007248
  • 23-Nov-2010
  • 10-Dec-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3

Situation

Although it is not the default situation, some administrators run pure-ftpd on OES 2 SP2 or SP3 by using the Perl script /usr/sbin/pure-config.pl .  This is likely to be used where multiple instances of pure-ftpd are running, either on one system or within a cluster.
 
If this method of starting pure-ftpd is in use and the pure-ftpd package is updated, pure-ftpd authentications may fail.  The failure would occur if the user in question is not already in the Novell Account Management cache (nam cache).  For example, if the system is rebooted or if the cache is cleared with "namconfig cache_refresh " then an eDirectory user would fail to login to pure-ftpd until some other login event pushed his information into the cache.  For example, if the same user first logged in through sshd, then that user would be able to login to pure-ftpd as well.

Resolution

As of late 2012, if this problem occurs, it is an indication that pure-ftpd was reinstalled or updated, but other packages are not updated to their latest levels.  To avoid this problem altogether, the recommendation is:
 
Apply OES 2 SP3 (if not present already)
Apply SLES 10 SP4 (if not present already)
Apply current maintennace updates for OES 2 SP3
 
However, in case these current levels cannot be used, see the Additional Information section below, for options.

Additional Information

If SLES 10 SP3 must be used instead of moving to SLES 10 SP4, then the following details should resolve the situation:
 
On OES, the additional package "novell-pure-ftpd-config" is installed to modify certain files (including /usr/sbin/pure-config.pl) in preparation for using LUM-enabled pure-ftpd.  If the pure-ftpd package is reinstalled or updated, /usr/sbin/pure-config.pl will be rewritten in standard form rather than in the OES-specific form.  Other OES-modified files in pure-ftpd are protected, but this one is at risk.
 
Here is a discussion of 2 ways to address this issue.  However, method #1 is no longer recommended, as it can leave the system vulnerable another known bug.  It is still provided only because it does not require installing a PTF package, and will still be suitable for 70% of systems.  However, method #2 is the preferred and safer solution.
 
Method #1:
 
This method can quickly fix the situation without updating any packages, but does not protect against the problem happening again, if the pure-ftpd package is re-installed.  Several options can be used to obtain the same end result.  Regardless of which of these is chosen, once the change is made, take whatever steps are normally used on that system to stop and start the pure-ftpd resources.
 
A.  Execute the script:  /opt/novell/pure-ftpd/novell-pure-ftpd-config.sh
-or-
 
B.  Copy /usr/sbin/pure-config.pl from an unaffected system to the effected system.
 
-or-
 
C.  Manually add the necessary lines to /usr/sbin/pure-config.pl .
Immediately after the initial line:    #!/usr/bin/perl
add the following:
 
if (-e "/opt/novell/eDirectory/lib64/libldapsdk.so") {
  $ENV{"LD_PRELOAD"} = "/opt/novell/eDirectory/lib64/libldapsdk.so" ;
} elsif (-e "/opt/novell/eDirectory/lib/libldapsdk.so") {
 $ENV{"LD_PRELOAD"} = "/opt/novell/eDirectory/lib/libldapsdk.so";
}
 
 
 
Method #2:
 
The safer solution to this issue requires an updated pam package which is officially released in public form only in SLES 10 SP4.  Administrators who are not yet moving to SLES 10 SP4 can obtain a PTF which should *only* be used on SLES 10 SP3.  If the PTF is desired, here are the steps:
 
A.  Edit /usr/sbin/pure-config.pl and remove or comment out certain lines near the top, which will no longer be needed once the pam PTF in place.  These are the lines to remove or remark out:

#if (-e "/opt/novell/eDirectory/lib64/libldapsdk.so") {
# $ENV{"LD_PRELOAD"} = "/opt/novell/eDirectory/lib64/libldapsdk.so" ;
#} elsif (-e "/opt/novell/eDirectory/lib/libldapsdk.so") {
#$ENV{"LD_PRELOAD"} = "/opt/novell/eDirectory/lib/libldapsdk.so";
#}


B.  Download the pam PTF for your system.

For x86 (32 bit), go to:
https://you.novell.com/update/i386/update/SUSE-SLES/10/PTF/f2cf38b50ed714a8409693060195b235/20110112/
and download
pam-0.99.6.3-28.18.39.1301.2.PTF.574018.i586.rpm

For x86_64 architecture, go to:
https://you.novell.com/update/x86_64/update/SUSE-SLES/10/PTF/f2cf38b50ed714a8409693060195b235/20110112
and download
pam-0.99.6.3-28.18.39.1301.2.PTF.574018.x86_64.rpm
and also go to:
https://you.novell.com/update/i386/update/SUSE-SLES/10/PTF/f2cf38b50ed714a8409693060195b235/20110112/
and download
pam-32bit-0.99.6.3-28.18.39.1301.2.PTF.574018.x86_64.rpm

C.  Update to these PTF package(s) with:  rpm -Uhv --force <package_name>

D.  Take whatever steps are normally used on this cluster or multi-instance system to stop and start pure-ftpd.  This will involve the /usr/sbin/pure-ftpd-stop.pl script and /usr/sbin/pure-config.pl script, or other scripts which call them.