Authentification ldap,pam.d on solaris 11

Similar Messages

• PAM Support fpr Solaris SGD 4.3

  Hi,
  where can I find more informations howw to integrate PAM Support under Solaris SGD 4.3
  I read in the relase notes:
  Support for PAM for UNIX User Authentication
  Secure Global Desktop now supports PAM (Pluggable Authentication Modules) for UNIX user authentication. The change affects the following login authorities:
  * ENS
  * UNIX User
  * UNIX Group
  Secure Global Desktop uses PAM for user authentication, account operations and password operations.
  When you install Secure Global Desktop on Linux platforms, Setup automatically creates PAM configuration entries for Secure Global Desktop by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for Secure Global Desktop (tarantella) in the /etc/pam.conf file if required.
  Using PAM gives Secure Global Desktop Administrators more flexibility and control over UNIX user authentication, for example by adding new login tests, account limits, or valid password checks.
  But how this should be done, I could not find out....
  Regards
  Lukas

  Hi,
  Yes I now that. Pam is allways configured via Operating System. But where can I find some documentation how to configure pam to allow unix authentication against the ssgd.
  I do not want to create a unix user for each sgd user (ldap) which is using a AS 400 connection or a classroom object. So I that this could be done via PAM Module for ssgd
  Thanks for further advise.

• OpenSSH 4.4p1 packages with PAM support for Solaris 9, 10

  As mentioned in a previous post* , I've compiled OpenSSH packages with PAM support for Solaris 9 and 10. They've since been updated to version 4.4p1, and are compiled against a static zlib (1.2.3) and OpenSSL (0.9.8c). You can find them here:
  http://firewallworks.com/downloads/unsupported/Solaris-sparc/
  Regards,
  Greg
  * http://forum.sun.com/jive/thread.jspa?threadID=103378&tstart=105

  Yes, zlib 1.2.3 is a requirement. In facts, zlib mentions a 2005 vulnerability fix but I found no matching patch in sunsolve. See
  http://www.kb.cert.org/vuls/id/JGEI-6E7RC3
  I have been wandering whether to replace the official zlib. Linking statically is probably a better idea. Thanks

• Solaris 10 + Samba + LDAP/PAM?

  Hi all,
  I've got a long standing question that I need answered with relation to setup of Samba + LDAP on Solaris 10. Here is the general gist:
  1. I've got a Solaris 10 host that is currently communicating with an OpenLDAP (OpenDirectory) master to provide user identity information. The Solaris 10 host simply acts as a place to have disk mounted via some large storage subsystems, which is then shared out via NFS to different places. Because I have used the ldapclient manual commands on the Solaris host, it understands UID's and GUID's from the OpenLDAP master
  2. I want to change things a little bit. What I'd like to do, is have samba sharing out disk/exports/shares from the Solaris 10 host, but use my OpenLDAP credentials for users to log into the system with
  What I'd like to know how to do is set up Samba on my Solaris 10 (x86) host so that a client can connect to it using their credentials stored on the OpenLDAP host, access their home directory etc.
  I don't think it will be too hard - as most of the work is done in terms of the LDAP binds. I have used the following binding technique to make the Solaris 10 host aware of the OpenLDAP directory:
  ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=od-master,dc=example,dc=com -a serviceSearchDescriptor=passwd:cn=users,dc=od-master,dc=example,dc=com -a attributeMap=passwd:gecos=cn -a serviceSearchDescriptor=group:cn=groups,dc=od-master,dc=example,dc=com  192.168.0.1Because I've done this, I can now finger/id any UID or GUID that exists on the OpenLDAP host, and the Solaris host will know about it. The question is, how do I make samba aware of such things, let alone configure it to do so. I want users on their windows systems to simply be able to \\some.server.here.there\ and on their Mac OS X systems to smb://some.server.here.there with the credentials that are in the OpenLDAP master. There must be some simple way of telling samba where to get credential information from, right?
  Thanks for your time!
  z

  Update 2 is pretty old, especially if you are talking about ZFS. There's been a variety of problems fixed in ZFS since U2. Were I to just guess out of the blue, you might be running into the ZFS eats all of RAM bug.
  http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6505658
  If this is the case, it won't be just the samba server that's slow on the server. You should check this by doing the FTP after your samba server slows down and see if you get fast throughputs.
  -r

• LDAP over SSL for Solaris 9 / Solaris 10

  I have successfully configured Solaris-10 clients to use Windows 2003 R2 Active Directory for LDAP authentication over SSL. However, my production environment is still running on Solaris-9. I am able to make Kerberos and ldapsearch working on Solaris-9, but I am still NOT able to use PuTTY to make authentication with AD.
  I reviewed all my steps that I configured on Solaris-10, but somewhat I could not make it work on Solaris-9. If anybody sucessfully deployed on Solaris-9, please advices! Any helps greatly appreciated.
  Here are what I got so far on Solaris-9
  =======================================================
  KERBEROS
  =======================================================
  #getent passwd aduser
  aduser:1000:1000:aduser:/export/home/aduser:/bin/sh
  #kinit [email protected]
  Password for [email protected]:
  #klist
  Ticket cache: /tmp/krb5cc_0
  Default principal: [email protected]
  Valid starting Expires Service principal
  Fri Jan 04 17:22:34 2008 Sat Jan 05 03:22:34 2008 krbtgt/[email protected]
  renew until Fri Jan 11 17:22:34 2008
  =======================================================
  LDAPSEARCH / SSL
  =======================================================
  #ldapsearch -v -h sundc1.consoto.com -p 636 -Z -P /var/ldap/cert8.db -D cn=administrator,cn=users,dc=consoto,dc=com -w - -b "dc=consoto,dc=com" -v -s base "objectclass=*"
  Enter bind password:
  ldapsearch: started Fri Jan 4 17:23:52 2008
  LDAP Library Information -
  Highest supported protocol version: 3
  LDAP API revision: 2005
  API vendor name: Sun Microsystems Inc.
  Vendor-specific version: 5.08
  LDAP API Extensions:
  SERVER_SIDE_SORT (revision 1)
  VIRTUAL_LIST_VIEW (revision 1)
  PERSISTENT_SEARCH (revision 1)
  PROXY_AUTHORIZATION (revision 1)
  X_LDERRNO (revision 1)
  X_MEMCACHE (revision 1)
  X_IO_FUNCTIONS (revision 1)
  X_EXTIO_FUNCTIONS (revision 1)
  X_DNS_FUNCTIONS (revision 1)
  X_MEMALLOC_FUNCTIONS (revision 1)
  X_THREAD_FUNCTIONS (revision 1)
  X_EXTHREAD_FUNCTIONS (revision 1)
  X_GETLANGVALUES (revision 1)
  X_CLIENT_SIDE_SORT (revision 1)
  X_URL_FUNCTIONS (revision 1)
  X_FILTER_FUNCTIONS (revision 1)
  ldap_init( sundc1.consoto.com, 636 )
  ldaptool_getcertpath -- /var/ldap/cert8.db
  ldaptool_getkeypath -- .
  ldaptool_getdonglefilename -- (null)
  filter pattern: objectclass=*
  returning: ALL
  filter is: (objectclass=*)
  version: 1
  dn: dc=consoto,dc=com
  objectClass: top
  objectClass: domain
  objectClass: domainDNS
  distinguishedName: DC=consoto,DC=com
  instanceType: 5
  whenCreated: 20071220204021.0Z
  whenChanged: 20071226231851.0Z
  subRefs: DC=ForestDnsZones,DC=consoto,DC=com
  subRefs: DC=DomainDnsZones,DC=consoto,DC=com
  subRefs: CN=Configuration,DC=consoto,DC=com
  uSNCreated: 4098
  uSNChanged: 16663
  name: consoto
  objectGUID:: bM0hWw8HKEOYCFN3yQ==
  creationTime: 128426572605937500
  forceLogoff: -9223372036854775808
  lockoutDuration: -18000000000
  lockOutObservationWindow: -18000000000
  lockoutThreshold: 0
  maxPwdAge: -37108517437440
  minPwdAge: -864000000000
  minPwdLength: 7
  modifiedCountAtLastProm: 0
  nextRid: 1003
  pwdProperties: 1
  pwdHistoryLength: 24
  objectSid:: AQQAAAAAAAUAAYA4LaLGUspxVHsMP
  serverState: 1
  uASCompat: 1
  modifiedCount: 129
  auditingPolicy:: AAE=
  nTMixedDomain: 0
  rIDManagerReference: CN=RID Manager$,CN=System,DC=consoto,DC=com
  fSMORoleOwner: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Nam e,CN=Sites,CN=Configuration,DC=consoto,DC=com
  systemFlags: -1946157056
  wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=sunl
  ab,DC=com
  wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
  m Data,DC=consoto,DC=com
  wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
  cipals,DC=consoto,DC=com
  wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
  consoto,DC=com
  wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=s
  unlab,DC=com
  wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=consoto,DC
  =com
  wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
  DC=consoto,DC=com
  wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=consoto
  ,DC=com
  wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=consoto,DC=
  com
  objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=consoto,DC=com
  isCriticalSystemObject: TRUE
  gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
  m,DC=consoto,DC=com;0]
  masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=consoto,DC=com
  ms-DS-MachineAccountQuota: 10
  msDS-Behavior-Version: 2
  msDS-PerUserTrustQuota: 1
  msDS-AllUsersTrustQuota: 1000
  msDS-PerUserTrustTombstonesQuota: 10
  msDs-masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-N
  ame,CN=Sites,CN=Configuration,DC=consoto,DC=com
  dc: consoto
  1 matches
  I am thinking about pam.conf file or ldapclient's configuration file, any suggestion?

  I have now sat down and looked at your suggestion and I am pretty certain we can't implement it ... :( I was hoping it was just going to be configuration files that were copied (maybe a naive hope, but there you go!) This system is going to be deployed as a live service for a government agency so I do not think we can, in all good conscience, have binaries from two different OS releases residing on the same server as it will make the system nigh-on non-patchable.
  Let's hope Sun have somethig constructive to say about our issue which, I am slowly beginning to think, is related to the password.
  If I su to the test AD user we have whilst logged in as a root user (which does not, of course, prompt for a password) it all works nicely - home directory, shell, the id command gives all that is expected of uid and gid. Now, should I be in a as a non-root user and try the same I get prompted for a password and it all fails - despite me providing what should be the correct password.
  If I do a getent for the user the returned data has a blank for the password field (as opposed to the usual x).
  I think that somewhere, somehow, in the transmission of data that the password is getting a level of encryption that the AD is not setup to unravel. The packets are all encrypted through ldap (we are using tls simple) but what of the password within the packet? Does anything encrypt that first, and if so, does AD know how to decrypt it?

• Openldap-2.4.32 PAM authentication on Solaris 10

  Hi,
  I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
  Executing ldapwhoami command from client is successful; server receives and processes request as expected.
  I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
  Could someone please show me how to verify PAM to see if it works?
  Please let me know if there is anything missing from my setup or anything that I can double-check.
  Any help is greatly appreciated.
  Regards,
  Joe
  Downloaded and installed packages from SunFreeWare.com:
  openldap-2.4.32-sol10-sparc-local.gz
  db-4.7.25.NC-sol10-sparc-local.gz
  gcc-3.3.2-sol10-sparc-local.gz
  libgcc-3.3-sol10-sparc-local.gz
  libtool-2.4.2-sol10-sparc-local.gz
  openssl-1.0.1c-sol10-sparc-local.gz
  sasl-2.1.25-sol10-sparc-local.gz
  From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
  apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
  Enter LDAP Password:
  dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
  Configuring for PAM:
  - /etc/pam.conf:
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1
  rlogin auth required pam_ldap.so.1 debug
  - /etc/nsswitch.conf:
  passwd: files ldap
  group: files ldap
  shadow: files ldap
  Errors from /var/log/pamlog:
  Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
  Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
  Mar 5 08:56:20 apggd04dev last message repeated 1 time
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
  Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
  Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
  Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
  Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
  Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)

  Hi,
  I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
  Executing ldapwhoami command from client is successful; server receives and processes request as expected.
  I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
  Could someone please show me how to verify PAM to see if it works?
  Please let me know if there is anything missing from my setup or anything that I can double-check.
  Any help is greatly appreciated.
  Regards,
  Joe
  Downloaded and installed packages from SunFreeWare.com:
  openldap-2.4.32-sol10-sparc-local.gz
  db-4.7.25.NC-sol10-sparc-local.gz
  gcc-3.3.2-sol10-sparc-local.gz
  libgcc-3.3-sol10-sparc-local.gz
  libtool-2.4.2-sol10-sparc-local.gz
  openssl-1.0.1c-sol10-sparc-local.gz
  sasl-2.1.25-sol10-sparc-local.gz
  From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
  apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
  Enter LDAP Password:
  dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
  Configuring for PAM:
  - /etc/pam.conf:
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1
  rlogin auth required pam_ldap.so.1 debug
  - /etc/nsswitch.conf:
  passwd: files ldap
  group: files ldap
  shadow: files ldap
  Errors from /var/log/pamlog:
  Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
  Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
  Mar 5 08:56:20 apggd04dev last message repeated 1 time
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
  Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
  Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
  Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
  Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
  Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
  Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
  Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
  Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)

• Managing ldap sub tree with Solaris Mnagement Console

  Hi,
  I'm using Sun ONE Directory Server 5.2 in Solaris 9 envronment.
  I want to use Solaris Management Console to manage my Ldap Name Service.
  On my ldap server I can display two scopes :
  Scope 1 file:/example/example
  Scope 2 ldap:/example/dc=example,dc=com
  With SMC Editor I've created a toolbox to manage my ldap domain and I can manage users and groups only on trunk tree but not on the sub tree.
  Does someone can tell me please if it's possible to display the ldap sub tree with SMC and if it's possible to manage other cotainers than people or group containers with SMC (for ex. netgroup container) ?
  Thanks.
  Dra

  By try and error I found out that even when I upgraded my
  Sun ONE Directory Server 5.2 to patch level 2, the configuration
  in the administration directory was not changed to the new
  version. So one couldn't connect with the new console
  version 5.2pl2 but used and needed the old one effectively.
  To use the 5.2 pl 2 console there need to be the following
  files in the client directory:
  <root of sun ldap console>/java/jars/
  ds522.jar (main console application)
  ds522_en.jar (english language resources)
  ds522_de.jar (german language resources, in my case, optional)
  ds522.icon (icon used in the console)
  and for the administration console:
  admserv522.jar
  admserv522_en.jar
  admserv522_de.jar
  admserv522.icon
  The old file with the '52' in their name may stay where they
  are to connect to unpatched 5.2 Servers and 5.2pl2 Servers
  without updated configuration.
  The configuration is under:
  cn=ResourceEditorExtension, ou=4.0, ou=Admin, ou=Global Preferences, ou=zentrale.edekanet.de, o=NetscapeRoot
  Search for the attribute 'nsclassname' in all subentries where there
  is a substring '@ds52.jar' and change it to '@ds522.jar'.
  With newer versions of the Sun Directory Server there are
  even jar files with names like 'ds523.jar'. Proceed like above.
  After the next start of the console you are using the new 5.2pl2
  Versions with all bugfixes and enhancements. To verify you may
  move the '52' files away, start and connect. If the directory server
  is configured the right way it won't try to download the '52' files
  to your local computer.
  Frerk

• LDAP /Pam authentication

  Hi, I am using a ldap DS5.2 server to authentication users on an application, though it seems that my usernames which are "all numeric" don't seem to be accepted through PAM.
  When I run debug I see a " pam_authenticate(1e45450, 0): error Conversation failure"
  When I add a letter in front of the username the authentication works fine.
  Is there any way in which I could get this to work using "all numeric" usernames? And if yes how would that be possible?
  Thanks.
  -Ives-

  Hi, Roger
  Is there no way around this? In fact My application (netcool/Mircomuse) uses PAM to run ldap authentication.
  For another tool based on perl scripts we use LDAP authentication through a Perl module. With that perl module there is no problem in getting the "all numeric" username authenticated.
  Is it possible to use this perl module in PAM somehow (the module is Net::LDAP)? And if yes could you or someone else tell me how this could be done?
  Thanks a lot for your help.
  Regards,
  -Ives-

• Authentification LDAP/ AD ?

  Hi,
  I have this configuration:
  BOXI 3.1 setup on a Windows Server 2008.
  A server with Active Directory where a users group have been created.
  I don't know how AD and LDAP work together. I reade on internet, that, AD is a LDAP directory (a Directory which use LDAP protocol) it is true?
  So i would like to configure and authentification on BusinessObjects that allow users to login on InfoView/Designer by using their window logins(login created in the Active Directory).
  What should i do?
  Configure AD authentification on CMC ? or LDAP authentifcation ?
  does someone make LDAP authentification? i tried to do it but i got an error when i click on button finish: The SecLdap have not been able to connect to the host.
  thanks for your reply.

  Hi Coulio,
  Generally speaking as you have an AD server you should be looking to configure the AD plugin in XI3.1 to enable your users to login with their AD accounts and facilitate SSO (single sign on).
  There are many KBases and documentation around this area, but what you would need to do would be the following:
  So there are 12 steps required to ensure a successful SSO configuration. Please let me know if you have any further questions, or if there is something unclear. Thanks.
  Windows AD steps (please have AD team manage this)
  1.     Create and configure a Service Account
  a.     Create a user account -> login name: bossosvcacct
  i.     First Name: BO Service
  ii.     Last Name: Account
  iii.     Set password to not expire, User cannot change password.
  b.     Save.
  2.     Creation of SPNs for Service Account
  a.     Create 3 SPNs for Service account with following commands. Please replace u2018boservernameu2019 with the actual name, and FQDN with the actual Fully Qualified Domain Name. Replace IPADDRESS with the actual IP address of the BO Server. Leave u2018bossosvcacctu2019, it is required to bind the SPN to the Service Account we created above.
  i.     setspn u2013a HTTP\boservername bossosvcacct
  ii.     setspn u2013a HTTP\boservername.FQDN bossosvcacct    (ie. setspn u2013a HTTP\myboserver.microgoogle.com bossosvcacct)
  iii.     setspn u2013a HTTP\IPADDRESS bossosvcacct
  3.     Run ktpass command to create *.keytab
  a.     Please run the following command:
  i.     ktpass -out bosso.keytab -princ HTTP/bossosvcacct.FQDN@FQDN u2013mapuser bossosvcacct@FQDN -pass PW_FOR_SERVICEACCOUNT -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
  ii.     replace PW_FOR_SERVICEACCOUNT with the password you entered for the BO Service Account you created in Step 1.
  4.     Permitting Delegation for Service Account
  a.     Once above steps are complete, go into properties of BO Service Account->Delegation.
  i.     Set Delegation to u201CTrust this user for delegation to any services (Kerberos only)
  As a final step, please copy the keytab file that was created to a directory in the BO Server, add it to C:\WINNT, create it if it doesnu2019t exist there already.
  BO XI3.1 Server steps:
  5. Configure WinAD Authentication settings in the CMC
  6. Edit Service Account in Local Policy Settings + Local Admin
  7. Modify SIA to login with Service Account
  8. Configure and add krb5.ini, bsclogin.conf, and bosso.keytab to C:\WINNT on BO Server.
  9. Configure Tomcat Java Options
  10. Modify the web.xml with all necessary changes
  11. Modify server.xml with MaxHttpHeader change
  I hope this is a very, very helpful answer.
  Kind regards,
  John

• How to fix pam config with solaris-backup-1

  Hi,
  I do an error on pam.d and i don't connect to my solaris.
  I succeed in solaris-backup-1 but it's an archive.
  So how to fix my pam.d config with solaris-backup-1
  Thanks for your help

  I do "beadm activate solaris-backup-1"
  and i obtain with "beadm list" :
  solaris-backup-1 NR / 5.43G static 2014-09-22 11:21
  solaris-backup-1 is a back-up of the installation
  I didn't find my files in /opt
  So i activated/mounted solaris
  beadm activate solaris
  beadm mount solaris /mnt/solaris
  I succeed in modify pam.d
  Thanks

• Stacking Problem in pam.conf on Solaris 10 ?

  Hi all,
  I have pam.conf with enteries for
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  *other password required pam_dhkeys.so.1*
  *other password requisite pam_authtok_get.so.1*
  *other password requisite pam_authtok_check.so.1*
  *other password required pam_authtok_store.so.1*
  As per my understanding the
  (I) SPI pam_authtok_get.so.1 is used to get the user credentials from password DB.
  (II) SPI pam_authtok_check.so.1* is used to check if the new password supplied is satisfying the password policy on the OS ( by reading values from /etc/default/passwd )
  (III) SPI pam_authtok_store.so.1* is used to store the newly entered password to password db.
  Please correct me if I am wrong anywhere.
  Now I have a requirement thar an application has to be wriiten which will just check that the entered password satisfies the password policies of the OS or not, but it should not update the password DB(should not store the password)
  I make the following enteries in my pam.conf
  osPasswdCheck password required pam_dhkeys.so.1
  osPasswdCheck password requisite pam_authtok_get.so.1
  osPasswdCheck password requisite pam_authtok_check.so.1
  I removed the entry for pam_authtok_store.so.1 as I dont want to store the but when I run my application it always give error 20 authentication manipulation error.
  please refer (/usr/include/security/pam_appl.h)
  I have done all the formalities w.r.t writing a PAM Conversation funtion and the application is returning success when I add the pam_authtok_store.so.1 into the SPI
  Please anyone can help me out.Is there is anyother way with which I can use my application just to check password (w.r.t. OS policy) .
  I will be really thankful if anybody can provide me with working PAM Modules stack for achieving it.
  Thanks in advcance.
  Regards,
  Rahul.
  but I dont want to store it.

  Why not just keep the "pam_authtok_store.so.1" line in your pam.conf file and set it to a level of "requisite" or lower? I haven't tried it myself yet, but I've found that in the past when editing this file, completely removing a line rather than giving the PAM stack what it would expect to see with that line being there in some way can also cause problems.

• Solaris 10 with PAM, OpenSSH and OpenLDAP

  Hi all,
  Due to the mix of Linux and Solaris machines, we decided to do OpenLdap and OpenSSH on the Solaris machines as well. All works fine on the Linux machines, but we cannot get PAM authentification to work on the Solaris machines. I have a user in the ldap database esawyja, when the user su esawyja, it works, but the user cannot ssh into the server.
  test5:/ $ su esawyja
  test5:/ $ whoami
  esawyja
  test5:/ $ exit
  exit
  test5:/ $ whoami
  root
  test5:/ $
  test5:/ $ ssh -v [email protected]
  OpenSSH_5.8p1, OpenSSL 1.0.0a 1 Jun 2010
  debug1: Reading configuration data /usr/local/etc/ssh_config
  debug1: Connecting to 10.1.1.5 [10.1.1.5] port 22.
  debug1: Connection established.
  debug1: permanently_set_uid: 0/0
  debug1: identity file /.ssh/id_rsa type -1
  debug1: identity file /.ssh/id_rsa-cert type -1
  debug1: identity file /.ssh/id_dsa type -1
  debug1: identity file /.ssh/id_dsa-cert type -1
  debug1: identity file /.ssh/id_ecdsa type -1
  debug1: identity file /.ssh/id_ecdsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
  debug1: match: OpenSSH_5.8 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.8
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 none
  debug1: kex: client->server aes128-ctr hmac-md5 none
  debug1: sending SSH2_MSG_KEX_ECDH_INIT
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: RSA 1b:42:5b:37:e4:86:99:e1:af:81:bc:64:c8:68:a6:98
  debug1: Host '10.1.1.5' is known and matches the RSA host key.
  debug1: Found key in /.ssh/known_hosts:3
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password,keyboard-interactive
  debug1: Next authentication method: publickey
  debug1: Trying private key: /.ssh/id_rsa
  debug1: Trying private key: /.ssh/id_dsa
  debug1: Trying private key: /.ssh/id_ecdsa
  debug1: Next authentication method: keyboard-interactive
  Password:
  debug1: Authentications that can continue: publickey,password,keyboard-interactive
  Password:
  from the debug parameter on the pam_ldap.so.1 in /etc/pam.conf, see below, I get the error pam_ldap: no legal authentication method configured
  from /etc/pam.conf
  sshd auth requisite pam_authtok_get.so.1
  sshd auth required pam_dhkeys.so.1
  sshd auth required pam_unix_cred.so.1
  sshd auth binding pam_unix_auth.so.1 server_policy
  sshd auth required pam_ldap.so.1 debug
  Feb 17 14:48:19 test5.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 816976 auth.debug] tid= 1: Connection added [0]
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 467101 auth.debug] tid= 1: connectionID=1024
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 805042 auth.debug] tid= 1: shared=1
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 982078 auth.debug] tid= 1: usedBit=0
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 727660 auth.debug] tid= 1: threadID=1
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 939703 auth.debug] tid= 1: AuthType=0
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 142272 auth.debug] tid= 1: TlsType=0
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 537450 auth.debug] tid= 1: SaslMech=0
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
  Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd root), flags = 1
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 816976 auth.debug] tid= 1: Connection added [0]
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 467101 auth.debug] tid= 1: connectionID=1024
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 805042 auth.debug] tid= 1: shared=1
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 982078 auth.debug] tid= 1: usedBit=0
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 727660 auth.debug] tid= 1: threadID=1
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 939703 auth.debug] tid= 1: AuthType=0
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 142272 auth.debug] tid= 1: TlsType=0
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 537450 auth.debug] tid= 1: SaslMech=0
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
  Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 800047 auth.info] Failed password for root from 10.1.1.215 port 51941 ssh2
  Feb 17 14:48:42 test5.company.com sshd[11349]: [ID 800047 auth.info] Accepted password for root from 10.1.1.215 port 51941 ssh2
  Feb 17 14:54:59 test5.company.com su: [ID 366847 auth.info] 'su esawyja' succeeded for root on /dev/pts/10
  Feb 17 14:55:32 test5.company.com sshd[8939]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 816976 auth.debug] tid= 1: Connection added [0]
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 467101 auth.debug] tid= 1: connectionID=1024
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 805042 auth.debug] tid= 1: shared=1
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 982078 auth.debug] tid= 1: usedBit=0
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 727660 auth.debug] tid= 1: threadID=1
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 939703 auth.debug] tid= 1: AuthType=0
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 142272 auth.debug] tid= 1: TlsType=0
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 537450 auth.debug] tid= 1: SaslMech=0
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
  Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
  Feb 17 14:55:36 test5.company.com sshd[11600]: [ID 800047 auth.error] error: PAM: Authentication failed for esawyja from 10.1.1.5
  Feb 17 14:55:58 test5.company.com sshd[9612]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
  In the slapd logfile I get this
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access granted by read(=rscxd)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 384072 local4.debug] => access_allowed: read access granted by read(=rscxd)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 923158 local4.debug] => access_allowed: read access to "uid=esawyja,ou=People,dc=company,dc=com" "userPassword" requested
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [1]
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [2] cn=subschema
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 134411 local4.debug] => acl_get: [3] attr userPassword
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 105589 local4.debug] => slap_access_allowed: result not in cache (userPassword)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=esawyja,ou=People,dc=company,dc=com", attr "userPassword" requested
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 488679 local4.debug] => acl_mask: to value by "", (=0)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: self
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: *
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 279303 local4.debug] <= acl_mask: [2] applying auth(=xd) (stop)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 804284 local4.debug] <= acl_mask: [2] mask: auth(=xd)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access denied by auth(=xd)
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 127828 local4.debug] => access_allowed: no more rules
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 572208 local4.debug] send_search_entry: conn 437 access to attribute userPassword, value #0 not allowed
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 823432 local4.debug] AND
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 679408 local4.debug] begin get_filter_list
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 694368 local4.debug] EQUALITY
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 274773 local4.debug] end get_filter 0
  Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
  The user looks like this in the ldap database
  test5:/var/log $ ldaplist -l passwd esawyja
  dn: uid=esawyja,ou=People,dc=company,dc=com
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  cn: xxxxxxxxxxxxxxxxxxxxx
  uid: esawyja
  loginShell: /usr/bin/bash
  uidNumber: 1001
  gidNumber: 500
  homeDirectory: /home/admin/esawyja
  shadowLastChange: 12193
  shadowMin: 0
  shadowMax: 99999
  shadowWarning: 7
  shadowInactive: 1
  shadowExpire: 12999
  gecos: Wynand
  test5:/var/log $
  PLEASE I need help, been at this for the last week and I'm out of ideas
  Thanks

  I am not using OpenLDAP as a backend myself, I am using Sun/Oracle directory server. Initially this was version 5, and I have since upgraded to a mix of DS 6 and DS 7.
  With Sun DS, you run the idsconfig command (/usr/lib/ldap/idsconfig) which helps configure the server with things like a client profile and appropriate access permissions (e.g compare password). it will also help configure a proxy account. Sun LDAP clients should NOT need a proxy account. Linux clients would need the proxy account.

• LDAP native solaris 10 server - client

  Hi,
  Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
  I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
  anyway, what i did:
  on the server:
  a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
  b. run idsconfig => this part goes without problem.
  when i go to try to add a client with hostA.ldif as:
  dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
  changetype: add
  cn: qates001
  iphostnumber: 10.38.133.124
  objectclass: top
  objectclass: device
  objectclass: ipHost
  goes and gives me ldap_add: No such object.
  and of course, when i go to the client and try to run
  ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
  if anybody can help, i really appreciate.
  thank you,
  ./antonio/.

  I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
  There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
  http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
  Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
  http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
  for the pam.conf, got things working.
  Note: ensure that your user has the shadowAccount value set in the objectClass

• Sudo + pam + ldap

  Hello All
  We are in process to migrate to use LDAP.
  Right now I have an DSEE6.1 using sasl/digest-md5 as authentication mechanism.
  Sudo 1.6.8p12 is installed and was working until I moved all the local users to DS.
  When I try to sudo, it ask me three times a password and drop stating that the password is invalid.
  But, at same time, I'm able to authenticate using ssh.
  Any ideas?

  This is still an issue.
  Using the same pam.conf from Solaris 8 and 9 into a Solaris 10 does not result in the same behaviour.
  I can login into the system but when using sudo i got the following message:
  $ sudo su -
  Password:
  su: unable to set credentialsMy /etc/pam.conf looks like:
  ogin   auth requisite          pam_authtok_get.so.1 debug
  login   auth required           pam_dhkeys.so.1 debug
  login   auth required           pam_dial_auth.so.1 debug
  login   auth binding            pam_unix_auth.so.1 server_policy debug
  login   auth required           pam_ldap.so.1 use_first_pass debug
  rlogin  auth sufficient         pam_rhosts_auth.so.1
  rlogin  auth requisite          pam_authtok_get.so.1
  rlogin  auth required           pam_dhkeys.so.1
  rlogin  auth binding            pam_unix_auth.so.1 server_policy
  rlogin  auth required           pam_ldap.so.1 use_first_pass debug
  dtlogin auth requisite          pam_authtok_get.so.1
  dtlogin auth required           pam_dhkeys.so.1
  dtlogin auth binding            pam_unix_auth.so.1 server_policy
  dtlogin auth required           pam_ldap.so.1 use_first_pass debug
  rsh     auth sufficient         pam_rhosts_auth.so.1
  rsh     auth binding            pam_unix_auth.so.1 server_policy
  rsh     auth required           pam_ldap.so.1 use_first_pass debug
  ppp     auth requisite          pam_authtok_get.so.1
  ppp     auth required           pam_dhkeys.so.1
  ppp     auth binding            pam_unix_auth.so.1 server_policy
  ppp     auth required           pam_dial_auth.so.1
  ppp     auth required           pam_ldap.so.1 use_first_pass debug
  dtsession auth requisite       pam_authtok_get.so.1
  dtsession auth required        pam_dhkeys.so.1
  dtsession auth binding         pam_unix_auth.so.1 server_policy
  dtsession auth required        pam_ldap.so.1 debug
  other   auth requisite          pam_authtok_get.so.1 debug
  other   auth sufficient         pam_dhkeys.so.1 debug
  other   auth binding            pam_unix_auth.so.1 server_policy debug
  other   auth required           pam_ldap.so.1 use_first_pass debug
  passwd  auth binding            pam_passwd_auth.so.1 debug server_policy
  passwd  auth required           pam_ldap.so.1 try_first_pass debug
  login   account requisite       pam_roles.so.1
  login   account required        pam_projects.so.1
  login   account binding         pam_unix_account.so.1 server_policy
  loign   account required        pam_ldap.so.1 debug
  cron    account required        pam_projects.so.1
  cron    account required        pam_unix_account.so.1
  dtlogin account requisite       pam_roles.so.1
  dtlogin account required        pam_projects.so.1
  dtlogin account binding         pam_unix_account.so.1 server_policy
  dtlogin account required        pam_ldap.so.1 debug
  ppp     account requisite       pam_roles.so.1
  ppp     account required        pam_projects.so.1
  ppp     account required        pam_unix_account.so.1 server_policy
  other   account requisite       pam_roles.so.1
  other   account required        pam_projects.so.1
  other   account binding         pam_unix_account.so.1 server_policy
  other   account required        pam_ldap.so.1 debug
  ppp     session required        pam_unix_session.so.1
  other   session required        pam_unix_session.so.1
  other   session required        pam_mkhomedir.so.1 skel=/etc/skel umask=0022
  other   password required       pam_dhkeys.so.1 debug
  other   password requisite      pam_authtok_get.so.1 debug
  other   password requisite      pam_authtok_check.so.1 debug
  other   password sufficient     pam_authtok_store.so.1 server_policy debug
  other   password required       pam_ldap.so.1 debugAny ideas?

• Solaris 10 client - ldap_search: Can't connect to LDAP server

  Hello
  I have following configuration:
  - openLDAP server in Solaris 10 zone called ldap
  - native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
  I can't get ldapsearch results after ldapclient initialization.
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
  ldap_search: Can't connect to the LDAP server - Connection refused
  But I am able to get data from LDAP server if address of the server is specified:
  [root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
  version: 1
  dn: ou=users,dc=pov,dc=pl
  objectClass: organizationalUnit
  ou: Users
  Here is ldapclient config:
  [root@mail ~]# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= 192.168.1.40
  NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  What am I missing?

  Hi, I'm no exprert but I will try to help you. Are you still working on this?
  This what my stuff looks like:
  # ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
  NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
  NS_LDAP_SERVERS= 10.0.1.21:389
  NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
  NS_LDAP_AUTH= none
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
  [root@light migration]# cat user00.ldif
  dn: uid=user00,ou=People,dc=deathnote,dc=net
  uid: user00
  cn: user00
  objectClass: account
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: top
  loginShell: /bin/bash
  uidNumber: 805
  gidNumber: 501
  homeDirectory: /home/user00
  gecos: ldap user
  Also update you hosts file and add your server to the domain.
  I hope this helps.
  Edited by: CyberNinja on Oct 22, 2011 12:37 PM