Solaris 10 LDAP Client to 389 DS(Linux)

Hey guys,
I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
When I - su Username the system responds prompting for password then returns su: Uknown id: Username
When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
Here is my pam.conf file -
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other   auth required           pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other   account sufficient      pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
Thanks,
Ted

CN,
I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
# more /etc/pam.conf
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
Thanks,
Ted

Similar Messages

  • Patching solaris LDAP client

    i will have to patch a solaris LDAP client box. What do I expect for that? Do I have to rel-initialize the client using ldapclient command after patching?
    solaris 8 + LDAP server 5.2 unbundled version.
    Thanks

    From previous experience if your slapd is not running on your LDAP server then your clients will not boot if they are setup for ldap domain authentication. This is the same in NIS and NIS+. The only way to bring them up is to boot -s and change the nsswitch.conf file back to standalone i.e files and reboot machine.
    In short if ldap server goes down clients are too, multi ldap servers are required to prevent single point failure.

  • Proxy agent in solaris ldap client

    Since ldap service provides naming service, that is supposed to be accessed by anyone who needs it, I don't know why we need a proxy agent when we set up solaris ldap client. The anoymous credential level is enough.
    Also in order to use proxy agent, this agent needs to have at least read access to all naming entries, including userPassword, encrypted or clear-text. This adds some sort of in-security. While service authentication method "simple" will simply bind to the ldap server using provided password. Of course, you can still add another layer of security by using TLS.
    So, can anyone explain this design a little more?
    Thanks.

    My input on this subject may seem a bit paranoid, but that's what I get paid for, so take this with a gain of salt 8-)
    The proxy agent does not need to have read access to the userPassword attribute if you configure your clients to use pam_ldap instead of pam_unix. pam_unix retrieves the userPassword attribute by making a call to getspnam. With pam_ldap, the user dn and password are sent to the directory server in an auth structure, and the directory server will return success or failure to the client for that login attempt. More info on this can be found at http://docs.sun.com, or in the book "LDAP in the Solaris Operating Environment, Deploying Secure Directory Services" by Michael Hains and Tom Bialaski (ISBN 0-13-145693-8) pgs 177-179.
    Use of the proxy agent can actually increase the level of security for your directory server. With the proper ACI's in place not allowing anonymous binds to view the data in the tree (or only view a small subset of the tree), you can prevent anyone from dropping a laptop or other device on your network and data mining your LDAP tree for information (ie vendors, guests, etc). That won't stop those same people from snooping the traffic on your network, so the use of secure protocols are the other side of that, but implementing tls:simple authentication for the directory server and clients is not that difficult, and should be considered for any deployment of LDAP for use as a naming server.
    I do agree with your assessment that in an environment where anonymous binds are accecptable the use of the proxyagent is probably not warrented, but in my experience having the proxyagent has allowed me to tighten the security of my directory implementation .

  • Solaris ldap client problem (tls:simple + anonymous)

    Hi All,
    I've installed Directory Server 6.3.1 and it works just fine,
    but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
    Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
    More detail.
    Profile:
    dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
    authenticationmethod: tls:simple
    bindtimelimit: 10
    cn: sslnoproxyuser
    credentiallevel: anonymous
    defaultsearchbase: dc=domain,dc=com
    defaultsearchscope: one
    defaultserverlist: servername.domain.com
    followreferrals: TRUE
    objectclass: top
    objectclass: DUAConfigProfile
    preferredserverlist: servername.domain.com
    profilettl: 43200
    searchtimelimit: 30
    Ldapclient output:
    bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
    Parsing profileName=sslnoproxyuser
    Arguments parsed:
    profileName: sslnoproxyuser
    defaultServerList: servername.domain.com
    Handling init option
    About to configure machine by downloading a profile
    findBaseDN: begins
    findBaseDN: ldap not running
    findBaseDN: calling __ns_ldap_default_config()
    found 2 namingcontexts
    findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
    rootDN[0] dc=domain,dc=com
    found baseDN dc=domain,dc=com for domain domain.com
    Proxy DN: NULL
    Proxy password: NULL
    Credential level: 0
    Authentication method: 3
    No proxyDN/proxyPassword required
    About to modify this machines configuration by writing the files
    Stopping network services
    Stopping sendmail
    stop: sleep 100000 microseconds
    stop: network/smtp:sendmail... success
    Stopping nscd
    stop: sleep 100000 microseconds
    stop: sleep 200000 microseconds
    stop: system/name-service-cache:default... success
    Stopping autofs
    stop: sleep 100000 microseconds
    stop: sleep 200000 microseconds
    stop: sleep 400000 microseconds
    stop: sleep 800000 microseconds
    stop: sleep 1600000 microseconds
    stop: sleep 3200000 microseconds
    stop: system/filesystem/autofs:default... success
    ldap not running
    nisd not running
    nis(yp) not running
    file_backup: stat(/etc/nsswitch.conf)=0
    file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
    file_backup: stat(/etc/defaultdomain)=0
    file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
    file_backup: stat(/var/nis/NIS_COLD_START)=-1
    file_backup: No /var/nis/NIS_COLD_START file.
    file_backup: nis domain is "domain.com"
    file_backup: stat(/var/yp/binding/domain.com)=-1
    file_backup: No /var/yp/binding/domain.com directory.
    file_backup: stat(/var/ldap/ldap_client_file)=-1
    file_backup: No /var/ldap/ldap_client_file file.
    Starting network services
    start: /usr/bin/domainname domain.com... success
    start: sleep 100000 microseconds
    start: network/ldap/client:default... maintenance
    start: sleep 100000 microseconds
    start: system/filesystem/autofs:default... success
    start: sleep 100000 microseconds
    start: system/name-service-cache:default... success
    start: sleep 100000 microseconds
    start: network/smtp:sendmail... success
    restart: sleep 100000 microseconds
    restart: sleep 200000 microseconds
    restart: milestone/name-services:default... success
    Error resetting system.
    Recovering old system settings.
    Stopping network services
    Stopping sendmail
    stop: sleep 100000 microseconds
    stop: network/smtp:sendmail... success
    Stopping nscd
    stop: sleep 100000 microseconds
    stop: sleep 200000 microseconds
    stop: system/name-service-cache:default... success
    Stopping autofs
    stop: sleep 100000 microseconds
    stop: sleep 200000 microseconds
    stop: sleep 400000 microseconds
    stop: sleep 800000 microseconds
    stop: sleep 1600000 microseconds
    stop: sleep 3200000 microseconds
    stop: system/filesystem/autofs:default... success
    Stopping ldap
    stop: network/ldap/client:default... restoring from maintenance state
    stop: sleep 100000 microseconds
    stop: network/ldap/client:default... success
    nisd not running
    nis(yp) not running
    recover: stat(/var/ldap/restore/defaultdomain)=0
    recover: open(/var/ldap/restore/defaultdomain)
    recover: read(/var/ldap/restore/defaultdomain)
    recover: old domainname "domain.com"
    recover: stat(/var/ldap/restore/ldap_client_file)=-1
    recover: stat(/var/ldap/restore/ldap_client_cred)=-1
    recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
    recover: stat(/var/ldap/restore/domain.com)=-1
    recover: stat(/var/ldap/restore/nsswitch.conf)=0
    recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
    recover: stat(/var/ldap/restore/defaultdomain)=0
    recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
    Starting network services
    start: /usr/bin/domainname domain.com... success
    start: sleep 100000 microseconds
    start: system/filesystem/autofs:default... success
    start: sleep 100000 microseconds
    start: system/name-service-cache:default... success
    start: sleep 100000 microseconds
    start: network/smtp:sendmail... success
    restart: sleep 100000 microseconds
    restart: milestone/name-services:default... success
    */var/ldap/cachemgr.log*
    Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
    Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
    Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
    Any ideas?
    Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
    Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

    Hi ,
    yes I use it.
    Here is my pam.conf:
    # Authentication management
    # login service (explicit because of pam_dial_auth)
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_unix_cred.so.1
    login auth required pam_dial_auth.so.1
    login auth binding pam_unix_auth.so.1 server_policy
    login auth required pam_ldap.so.1
    # rlogin service (explicit because of pam_rhost_auth)
    # rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth required pam_unix_cred.so.1
    rlogin auth binding pam_unix_auth.so.1 server_policy
    rlogin auth required pam_ldap.so.1
    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    # rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_cred.so.1
    rsh auth binding pam_unix_auth.so.1 server_policy
    rsh auth required pam_ldap.so.1
    # PPP service (explicit because of pam_dial_auth)
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_dial_auth.so.1
    ppp auth binding pam_unix_auth.so.1 server_policy
    ppp auth required pam_ldap.so.1
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth required pam_unix_cred.so.1
    other auth binding pam_unix_auth.so.1 server_policy
    other auth required pam_ldap.so.1
    # passwd command (explicit because of a different authentication module)
    passwd auth binding pam_passwd_auth.so.1 server_policy
    passwd auth required pam_ldap.so.1
    # cron service (explicit because of non-usage of pam_roles.so.1)
    cron account required pam_unix_account.so.1
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    other account requisite pam_roles.so.1
    other account binding pam_unix_account.so.1
    other account required pam_ldap.so.1
    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    other session required pam_unix_session.so.1
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1 server_policy
    # Support for Kerberos V5 authentication and example configurations can
    # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
    #

  • Solaris ldap client + first login problem (with home user)

    hi, i have autenticate my solaris 10 (6/06) clients with a ldap server (sun 1 ds 5.2) withnout TLS (in the future sure).
    I test this communication with ethereal, and i think the communications its ok.
    But, when my user loggin for first time, he havent got a home directory, (in linux clients (fedoras) i configure pam and gdm to do this -with a kde desktop-), but here in solaris i dont know how to made this.
    i have this problem (in a root session with entry "toto1" in dit)
    # su - toto1
    su: No directory!
    I set (for toto1 entry) in attributte homedirectory in objectclass posixAccount a value "/home/toto1".
    �How and how have the responsabilities to make home directories?
    �the solution are like "linux solution", and if this is true, what files i must to touch for java desktop or cde?
    Thanks!!!

    One minute...!! How you made it work?I too have fedora DS Configured and want to configure Solaris Client.The #getent and #-ldaplist is displaying correct but login is now working.I guess PAM issue?how you resolved??

  • Ldap client in Solaris  using TLS

    I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
    My LDAP clients are
    - Linux (redhat and mandriva)
    - Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
    - Tru64 (5.1B)
    If a use simple authentification all works fine (search in LDAP,
    authentification and automount).
    However, when I use TLS the Solaris LDAP client doesn't seem to work.
    When I run the LDAP client the process freeze
    With my Linux and Tru64 clients all work fine using LS.
    I have downloaded the certificates from my LDAP server using Netscape browser.
    I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
    "chmod 644" in this files.
    I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
    The last logs of the ldap_cachemgr are:
    Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
    If I do a truss when I launch the client the
    result was this:
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
    lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
    This is my ldap_client_file:
    # Do not edit this file manually; your changes will be lost.Please use
    ldapclient (1M) instead.
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_SERVERS= srvldap
    NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
    NS_LDAP_AUTH= tls:simple
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SEARCH_SCOPE= sub
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_CACHETTL= 3600
    NS_LDAP_PROFILE= tls_profile
    NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
    automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
    automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
    nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
    nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
    NS_LDAP_BIND_TIME= 10
    I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
    And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
    I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
    Does anyone have an idea on getting Solaris using TLS/SSL?
    Thanks.

    LDAP Setup and Configuration Guide
    Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
    [http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
    Download this book in PDF (557 KB)
    [http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

  • Help with setting up LDAP Client on Oracle Linux 6.4

    Hi,
    I'm having problems getting my Oracle Linux server setup as a ldap client and hoping someone can find where I'm going wrong. We have Oracle/Sun Directory Server 7 with Solaris ldap clients already setup with ssl. We are also using crypt for storing passwords. Here are the steps I have done on the Linux server.
    yum install -y openldap openldap-clients nss-pam-ldapd pam_ldap
    Edited the line FORCELEGACY=no to yes in /etc/sysconfig/authconfig
    Copied the CA certs to /etc/openldap/cacerts
    Ran: authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
    Changed pam_password md5 to crypt in /etc/pam_ldap.conf
    Restarted /etc/init.d/nslcd and also tried rebooting.
    I'm seeing the following errors in messages:
    May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] ldap_start_tls_s() failed: Connect error (uri="ldap://zldap1.<domain>/")
    May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] failed to bind to LDAP server ldap://zldap1.<domain>/: Connect error
    May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] no available LDAP server found
    Here is what my /etc/openldap/ldap.conf file looks like:
    TLS_CACERTDIR /etc/openldap/cacerts
    TLS_REQCERT allow
    URI ldap://zldap1.<domain>/
    BASE o=<domain>,o=isp
    Any help would be appreciated.
    Thanks

    Copy cacerts to /etc/openldap/cacerts
    yum install -y openldap ldap-clients nss-pam-ldapd pam_ldap authconfig sssd
    authconfig enablesssd enablesssdauth enablelocauthorize update
    authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
    Add line to /etc/sssd/sssd.conf "ldap_tls_reqcert = allow"
    Change /etc/pam_ldap.conf line:
    pam_password md5 --> pam_password crypt
    service sssd restart

  • OEL ldap client setup with SSL against OID using either ldaps or starttls

    Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
    Here's my /etc/ldap.conf file on OEL 5.3.
    timelimit 120
    bind_timelimit 120
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
    URI ldaps://FQDN:3132/
    port 3132
    ssl yes
    host FQDN
    base dc=DOMAIN,dc=com
    pam_password clear
    tls_cacertdir /etc/oracle-certs
    tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
    tls_ciphers SSLv3
    # filter to AND with uid=%s
    pam_filter objectclass=posixaccount
    #The search scope
    scope sub
    I have /etc/nsswitch.conf set to check for files first, then ldap
    passwd: files ldap
    shadow: files ldap
    group: files ldap
    Here's my /etc/openldap/ldap.conf file
    URI ldaps://FQDN:3132/
    BASE dc=DOMAIN,dc=com
    TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
    TLS_CACERTDIR /etc/openldap/cacerts
    TLS_REQCERT allow
    TLS_CIPHERS SSLv3
    The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
    4224de9f.0 -> oid-test-ca.pem
    I can run ldapsearch using ldaps and it works fine.
    ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
    But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
    Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
    Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

    Hello again...
    after some research and work together with Oracle Support I found out how to get it to work:
    1. You have to create your own ConfigSet in OID using
    SSL-Server-Authentication
    (OpenSSL seems not to support SSL-encryption-only).
    The following link shows on how to do that:
    http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
    2. Add the following lines to your $HOME/ldaprc
    TLS_CACERT /home/frank/oid-caroot.pem
    TLS_REQCERT allow
    TLS_CIPHERS SSLv3
    ssl on
    tls_checkpeer no
    oid-caroot.pem is the CA-Root Certificate you got
    during step 1
    3. you should now be able to use ldapsearch using SSL
    If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
    I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
    Bye
    Frank Berger

  • Solaris 10 client - ldap_search: Can't connect to LDAP server

    Hello
    I have following configuration:
    - openLDAP server in Solaris 10 zone called ldap
    - native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
    I can't get ldapsearch results after ldapclient initialization.
    [root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
    ldap_search: Can't connect to the LDAP server - Connection refused
    But I am able to get data from LDAP server if address of the server is specified:
    [root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
    version: 1
    dn: ou=users,dc=pov,dc=pl
    objectClass: organizationalUnit
    ou: Users
    Here is ldapclient config:
    [root@mail ~]# ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_SERVERS= 192.168.1.40
    NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
    NS_LDAP_AUTH= none
    NS_LDAP_CACHETTL= 0
    What am I missing?

    Hi, I'm no exprert but I will try to help you. Are you still working on this?
    This what my stuff looks like:
    # ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
    NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
    NS_LDAP_SERVERS= 10.0.1.21:389
    NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
    NS_LDAP_AUTH= none
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
    [root@light migration]# cat user00.ldif
    dn: uid=user00,ou=People,dc=deathnote,dc=net
    uid: user00
    cn: user00
    objectClass: account
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: top
    loginShell: /bin/bash
    uidNumber: 805
    gidNumber: 501
    homeDirectory: /home/user00
    gecos: ldap user
    Also update you hosts file and add your server to the domain.
    I hope this helps.
    Edited by: CyberNinja on Oct 22, 2011 12:37 PM

  • Solaris 8 client setup with solaris 9 ldap

    I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
    # ldapclient -v -P default x.x.x.x
    but i keep getting the following errors:
    findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
    findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
    There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
    Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
    I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
    Stewart

    hi Stewart,
    You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
    It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
    Hope this will help you.
    Cheers / Damien.

  • Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0?  I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

    I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

    Hi,
    While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

  • Solaris 10 LDAP Client: libsldap: Status: 4

    Hi everybody.
    I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
    What I have done is changed the value:
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
    Where <hostname> is the respective hostname.
    After that, everything works as I expect, but I get a lot of these messages:
    sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
    Should I ignore the messages? This is the nsswitch.conf file:
    /etc/nsswitch.conf
    # Copyright 2006 Sun Microsystems, Inc. All rights reserved.
    # Use is subject to license terms.
    # ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
    # /etc/nsswitch.files:
    # An example file that could be copied over to /etc/nsswitch.conf; it
    # does not use any naming service.
    # "hosts:" and "services:" in this file are used only if the
    # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
    passwd: files ldap
    group: files ldap
    hosts: cluster files dns
    ipnodes: files dns
    networks: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: cluster files
    bootparams: files
    publickey: files
    netgroup: files
    automount: files
    aliases: files
    services: files
    printers: user files
    auth_attr: files
    prof_attr: files
    project: files
    tnrhtp: files
    tnrhdb: files
    user_attr: files
    I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
    Any suggestions?

    What would I do without google?
    http://prefetch.net/blog/index.php/2005/01/
    I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
    Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
    descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
    We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
    NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
    NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
    Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

  • NFS latency when Solaris 10 client mounts Linux NFS server(EMC NAS)

    Hello,
    One of our developers discovered a problem that for simplicity we call "latency". We have several 5.10 clients that we see the exact same symptoms on when NFS mounting our Celerra. The NAS is running a Linux variant "2.4.9-34.5406.EMC", but before you all jump on the "it's EMC's problem" bandwagon, let me explain. We set up an automated process (Perl) that watches an exported folder for the appearance of a request file (rand.req). When the request file comes in we rename the request file to (rand.sav) and then return a "report" named (rand.res). Very elegent I thought, and it runs at near lightspeed when only Linux NFS clients mount the share and create, monitor, delete, etc any files. In fact there is zero recorded latency from the time the report file appears and when the client detects it. But for all our Solaris 10 clients, they create the request file just fine, and the Perl process running on the Linux box sees the file instantaneously and returns the report, but it takes the Solaris client anywhere from 5 to up to 50 seconds before it see's any change in status for any files the Linux box manipulates. I've tried every possible combination of mount -o options there are including noac, rsize and wsize variants, vers=2, proto=udp, actimeo=0, etc, etc, etc. Nothing seems to be the magic bullet. nfsstat -c shows nothing out of the ordinary. There are no retransmits or dropepd packets anywhere in between, no firewall loads, no connectivity delays whatsoever. I'm completely out of ideas. Any ideas or clues would be greatly appreciated!
    thanks
    Dave

    No specific recommendations. But maybe you can watch the cable and get more information.
    Set up a case where the file has been created, then have the client check and snoop the cable at the same time. Does the client actually issue a directory check (or is it just displaying cached information)? Does the response contain the new file?
    Something to test anyway...
    Darren

  • Ldap authentication on solaris 8 client

    I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
    # ssh -v user@localhost
    SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
    Standard version. Does not use RSAREF.
    host: Reading configuration data /etc/ssh_config
    host: ssh_connect: getuid 0 geteuid 0 anon 0
    host: Allocated local port 1023.
    host: Connecting to 127.0.0.1 port 22.
    host: Connection established.
    host: Remote protocol version 1.5, remote software version 1.2.27
    host: Waiting for server public key.
    host: Received server public key (768 bits) and host key (1024 bits).
    host: Forcing accepting of host key for localhost.
    host: Host '127.0.0.1' is known and matches the host key.
    host: Initializing random; seed file /root/.ssh/random_seed
    host: Encryption type: idea
    host: Sent encrypted session key.
    host: Installing crc compensation attack detector.
    host: Received encrypted confirmation.
    host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
    host: Server refused our rhosts authentication or host key.
    host: No agent.
    host: Doing password authentication.
    [email protected]'s password:
    Permission denied.
    This is the pam.conf I use:
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_dial_auth.so.1
    login auth binding pam_unix_auth.so.1 server_policy
    login auth required pam_ldap.so.1
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth binding pam_unix_auth.so.1 server_policy
    rlogin auth required pam_ldap.so.1
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth binding pam_unix_auth.so.1 server_policy
    rsh auth required pam_ldap.so.1
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_dial_auth.so.1
    ppp auth binding pam_unix_auth.so.1 server_policy
    ppp auth required pam_ldap.so.1
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth binding pam_unix_auth.so.1 server_policy
    other auth required pam_ldap.so.1
    passwd auth binding pam_passwd_auth.so.1 server_policy
    passwd auth required pam_ldap.so.1
    cron account required pam_unix_account.so.1
    other account requisite pam_roles.so.1
    other account binding pam_unix_account.so.1 server_policy
    other account required pam_ldap.so.1
    other session required pam_unix_session.so.1
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1 server_policy
    ppp auth required pam_unix_auth.so.1
    Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
    Any ideas?

    No, my problem seems different.
    The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
    Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
    Thanks,
    --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • Ldap client with directory server 6.0 on solaris 9 systems

    I have a directory server 6.0 running on a solaris 9 system. I have set up idsconfig, vlvindex and certificate database on the server side. The client ldap I am trying to set up is also solaris 9 system. I have set the certificate database on this ldap client using the Resource Kit certutil and import the server certificate to client certificate database. It seems the TLS secure connection did work between LDAP server and client. (I use the Resource Kit ldapsearch command to test it) I use 'ldapclient -v init ...' command using 'profileName=tlsprofile' to initialize the LDAP client and the information returned from that command said LDAP client configed sucsessfully. But when I run ldapaddent command to import /etc/passwd. I got error:
    Passwd container does not exist.
    The ldapaddent command I ran like this:
    ldapaddent -v -f <passwd file> -D "cn=Directory Manager" passwd
    Then I tried to use 'ldapclient -v manual ....' command to set up LDAP client. That command finishes succefully. But I still can not import /etc/passwd using ldapaddent with same error.
    What is wrong with my set-up?
    Thanks,
    --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

    I looked into the /var/adm/messages, and I have the following error:
    ldap_cachemgr[1640]: [ID 605618 daemon.error] libldap: CERT_VerifyCertName: cert server name 'directory server' does not match 'hostname.mycompany.com': SSL connection denied
    It seems I have problem with SSL certificate set-up. I did generate the server side 'hostname.mycompany.com' certificate then use the Resource Kit certutil import that certificate to the client side. Is that right way to do?
    Thanks,
    --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

Maybe you are looking for

  • Ipod isn't recognized by Itunes or Windows

    Hi all, I have recently sent my Ipod, which is less than a year old, to be checked over by the Apple technicians as it would not switch on nor be recognized when I connected it to the computer. They returned it saying there was no problem and if ther

  • Downloaded songs from iStore don't work

    I have downloaded an album paying with an itunes card. All songs are on my computer, but won't start. Other songs I have downloaded previously just work fine, but the new songs are being skipped when I click them. Any idea how to get them running? My

  • WSDL for getDataExport Restful Web Service

    Hello Folks, As per documentation http://help.sap.com/saphelp_sop301/sop301_api_en.pdf API uses RESTful WS getDataExport from 3.0 onwards.. I am trying to call this WS from ECC. How I can get its WSDL file. Since URIs mentioned in file seems not work

  • Photoshop Touch crashes after selecting "Wrap" tool for the second time

    As title says, when selecting "wrap" tool for the second time, Photoshop Touch crashes. It doesn't matter which images and even after reboot and clearing all the RAM, it constantly crashes only when selected for the second time. I'm using this on Gal

  • Can't download the new version of Itunes & cant sync my phone without it!! Help!!!!!

    So, I updated my phone to ios 7 & when I connected my phone to my computer it said in order for my phone to sync I needed the new version of itunes. I've tried a million times to download it & everytime I get the same message.." The installer has ins