Authentication error after upgrading to PAM 3.x version

Document ID : KB000105200
Last Modified Date : 06/07/2018
Show Technical Document Details
Issue:
Authentication error after upgrading to 3.2 version
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.
Environment:
PAM Upgrade from 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0
Cause:
On PAM 3.0.1, it updates the /etc/ldap/ldap.conf cipher list by restricting it to couple of ciphers as below.

/etc/ldap/ldap.conf
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.

2018-07-06 00:15:41  27896 INFO  HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2) 
...
2018-07-06 00:15:41  27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!
 
Resolution:
If you have encountered this issue, you can open a support ticket and have support engineer to fix it manually by updating the /etc/ldap/ldap.conf file to restore the default PAM ciphers list.

From:
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA

To:
TLS_CIPHER_SUITE NORMAL:+SECURE256:+SECURE128:+SHA256

Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.

In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).
 
Additional Information:
https://communities.ca.com/thread/241792494-upgrade-pam-28x-to-300-301-and-311