Authentification ldap,pam.d on solaris 11
Hi,
I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
with "auth required pam_ldap
Hi,
Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
Change the line that states:
auth required
pam_unix_auth.so.1
to
auth binding
pam_unix_auth.so.1 server_policy
auth required
pam_ldap.so.1
Did you also checked the attributemapping for the LDAP client?
svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
Kind regards,
Lambert
Similar Messages
-
PAM Support fpr Solaris SGD 4.3
Hi,
where can I find more informations howw to integrate PAM Support under Solaris SGD 4.3
I read in the relase notes:
Support for PAM for UNIX User Authentication
Secure Global Desktop now supports PAM (Pluggable Authentication Modules) for UNIX user authentication. The change affects the following login authorities:
* ENS
* UNIX User
* UNIX Group
Secure Global Desktop uses PAM for user authentication, account operations and password operations.
When you install Secure Global Desktop on Linux platforms, Setup automatically creates PAM configuration entries for Secure Global Desktop by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for Secure Global Desktop (tarantella) in the /etc/pam.conf file if required.
Using PAM gives Secure Global Desktop Administrators more flexibility and control over UNIX user authentication, for example by adding new login tests, account limits, or valid password checks.
But how this should be done, I could not find out....
Regards
LukasHi,
Yes I now that. Pam is allways configured via Operating System. But where can I find some documentation how to configure pam to allow unix authentication against the ssgd.
I do not want to create a unix user for each sgd user (ldap) which is using a AS 400 connection or a classroom object. So I that this could be done via PAM Module for ssgd
Thanks for further advise. -
OpenSSH 4.4p1 packages with PAM support for Solaris 9, 10
As mentioned in a previous post* , I've compiled OpenSSH packages with PAM support for Solaris 9 and 10. They've since been updated to version 4.4p1, and are compiled against a static zlib (1.2.3) and OpenSSL (0.9.8c). You can find them here:
http://firewallworks.com/downloads/unsupported/Solaris-sparc/
Regards,
Greg
* http://forum.sun.com/jive/thread.jspa?threadID=103378&tstart=105Yes, zlib 1.2.3 is a requirement. In facts, zlib mentions a 2005 vulnerability fix but I found no matching patch in sunsolve. See
http://www.kb.cert.org/vuls/id/JGEI-6E7RC3
I have been wandering whether to replace the official zlib. Linking statically is probably a better idea. Thanks -
Solaris 10 + Samba + LDAP/PAM?
Hi all,
I've got a long standing question that I need answered with relation to setup of Samba + LDAP on Solaris 10. Here is the general gist:
1. I've got a Solaris 10 host that is currently communicating with an OpenLDAP (OpenDirectory) master to provide user identity information. The Solaris 10 host simply acts as a place to have disk mounted via some large storage subsystems, which is then shared out via NFS to different places. Because I have used the ldapclient manual commands on the Solaris host, it understands UID's and GUID's from the OpenLDAP master
2. I want to change things a little bit. What I'd like to do, is have samba sharing out disk/exports/shares from the Solaris 10 host, but use my OpenLDAP credentials for users to log into the system with
What I'd like to know how to do is set up Samba on my Solaris 10 (x86) host so that a client can connect to it using their credentials stored on the OpenLDAP host, access their home directory etc.
I don't think it will be too hard - as most of the work is done in terms of the LDAP binds. I have used the following binding technique to make the Solaris 10 host aware of the OpenLDAP directory:
ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=od-master,dc=example,dc=com -a serviceSearchDescriptor=passwd:cn=users,dc=od-master,dc=example,dc=com -a attributeMap=passwd:gecos=cn -a serviceSearchDescriptor=group:cn=groups,dc=od-master,dc=example,dc=com 192.168.0.1Because I've done this, I can now finger/id any UID or GUID that exists on the OpenLDAP host, and the Solaris host will know about it. The question is, how do I make samba aware of such things, let alone configure it to do so. I want users on their windows systems to simply be able to \\some.server.here.there\ and on their Mac OS X systems to smb://some.server.here.there with the credentials that are in the OpenLDAP master. There must be some simple way of telling samba where to get credential information from, right?
Thanks for your time!
zUpdate 2 is pretty old, especially if you are talking about ZFS. There's been a variety of problems fixed in ZFS since U2. Were I to just guess out of the blue, you might be running into the ZFS eats all of RAM bug.
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6505658
If this is the case, it won't be just the samba server that's slow on the server. You should check this by doing the FTP after your samba server slows down and see if you get fast throughputs.
-r -
LDAP over SSL for Solaris 9 / Solaris 10
I have successfully configured Solaris-10 clients to use Windows 2003 R2 Active Directory for LDAP authentication over SSL. However, my production environment is still running on Solaris-9. I am able to make Kerberos and ldapsearch working on Solaris-9, but I am still NOT able to use PuTTY to make authentication with AD.
I reviewed all my steps that I configured on Solaris-10, but somewhat I could not make it work on Solaris-9. If anybody sucessfully deployed on Solaris-9, please advices! Any helps greatly appreciated.
Here are what I got so far on Solaris-9
=======================================================
KERBEROS
=======================================================
#getent passwd aduser
aduser:1000:1000:aduser:/export/home/aduser:/bin/sh
#kinit [email protected]
Password for [email protected]:
#klist
Ticket cache: /tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
Fri Jan 04 17:22:34 2008 Sat Jan 05 03:22:34 2008 krbtgt/[email protected]
renew until Fri Jan 11 17:22:34 2008
=======================================================
LDAPSEARCH / SSL
=======================================================
#ldapsearch -v -h sundc1.consoto.com -p 636 -Z -P /var/ldap/cert8.db -D cn=administrator,cn=users,dc=consoto,dc=com -w - -b "dc=consoto,dc=com" -v -s base "objectclass=*"
Enter bind password:
ldapsearch: started Fri Jan 4 17:23:52 2008
LDAP Library Information -
Highest supported protocol version: 3
LDAP API revision: 2005
API vendor name: Sun Microsystems Inc.
Vendor-specific version: 5.08
LDAP API Extensions:
SERVER_SIDE_SORT (revision 1)
VIRTUAL_LIST_VIEW (revision 1)
PERSISTENT_SEARCH (revision 1)
PROXY_AUTHORIZATION (revision 1)
X_LDERRNO (revision 1)
X_MEMCACHE (revision 1)
X_IO_FUNCTIONS (revision 1)
X_EXTIO_FUNCTIONS (revision 1)
X_DNS_FUNCTIONS (revision 1)
X_MEMALLOC_FUNCTIONS (revision 1)
X_THREAD_FUNCTIONS (revision 1)
X_EXTHREAD_FUNCTIONS (revision 1)
X_GETLANGVALUES (revision 1)
X_CLIENT_SIDE_SORT (revision 1)
X_URL_FUNCTIONS (revision 1)
X_FILTER_FUNCTIONS (revision 1)
ldap_init( sundc1.consoto.com, 636 )
ldaptool_getcertpath -- /var/ldap/cert8.db
ldaptool_getkeypath -- .
ldaptool_getdonglefilename -- (null)
filter pattern: objectclass=*
returning: ALL
filter is: (objectclass=*)
version: 1
dn: dc=consoto,dc=com
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=consoto,DC=com
instanceType: 5
whenCreated: 20071220204021.0Z
whenChanged: 20071226231851.0Z
subRefs: DC=ForestDnsZones,DC=consoto,DC=com
subRefs: DC=DomainDnsZones,DC=consoto,DC=com
subRefs: CN=Configuration,DC=consoto,DC=com
uSNCreated: 4098
uSNChanged: 16663
name: consoto
objectGUID:: bM0hWw8HKEOYCFN3yQ==
creationTime: 128426572605937500
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1003
pwdProperties: 1
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUAAYA4LaLGUspxVHsMP
serverState: 1
uASCompat: 1
modifiedCount: 129
auditingPolicy:: AAE=
nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=consoto,DC=com
fSMORoleOwner: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Nam e,CN=Sites,CN=Configuration,DC=consoto,DC=com
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=sunl
ab,DC=com
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
m Data,DC=consoto,DC=com
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=sun
lab,DC=com
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
cipals,DC=consoto,DC=com
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
consoto,DC=com
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=s
unlab,DC=com
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=sun
lab,DC=com
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=consoto,DC
=com
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
DC=consoto,DC=com
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=consoto
,DC=com
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=consoto,DC=
com
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=consoto,DC=com
isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
m,DC=consoto,DC=com;0]
masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Name,C
N=Sites,CN=Configuration,DC=consoto,DC=com
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 2
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-N
ame,CN=Sites,CN=Configuration,DC=consoto,DC=com
dc: consoto
1 matches
I am thinking about pam.conf file or ldapclient's configuration file, any suggestion?I have now sat down and looked at your suggestion and I am pretty certain we can't implement it ... :( I was hoping it was just going to be configuration files that were copied (maybe a naive hope, but there you go!) This system is going to be deployed as a live service for a government agency so I do not think we can, in all good conscience, have binaries from two different OS releases residing on the same server as it will make the system nigh-on non-patchable.
Let's hope Sun have somethig constructive to say about our issue which, I am slowly beginning to think, is related to the password.
If I su to the test AD user we have whilst logged in as a root user (which does not, of course, prompt for a password) it all works nicely - home directory, shell, the id command gives all that is expected of uid and gid. Now, should I be in a as a non-root user and try the same I get prompted for a password and it all fails - despite me providing what should be the correct password.
If I do a getent for the user the returned data has a blank for the password field (as opposed to the usual x).
I think that somewhere, somehow, in the transmission of data that the password is getting a level of encryption that the AD is not setup to unravel. The packets are all encrypted through ldap (we are using tls simple) but what of the password within the packet? Does anything encrypt that first, and if so, does AD know how to decrypt it? -
Openldap-2.4.32 PAM authentication on Solaris 10
Hi,
I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
Executing ldapwhoami command from client is successful; server receives and processes request as expected.
I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
Could someone please show me how to verify PAM to see if it works?
Please let me know if there is anything missing from my setup or anything that I can double-check.
Any help is greatly appreciated.
Regards,
Joe
Downloaded and installed packages from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuring for PAM:
- /etc/pam.conf:
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
Errors from /var/log/pamlog:
Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:20 apggd04dev last message repeated 1 time
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL)Hi,
I configured two Solaris servers to be openldap client/server. They are connected, and I am able to add/modify/retrieve entries/user information from client machine.
Executing ldapwhoami command from client is successful; server receives and processes request as expected.
I am configuring PAM for rlogin from Client machine and expect that user credential will be authenticated from LDAP Server, but cannot rlogin.
Could someone please show me how to verify PAM to see if it works?
Please let me know if there is anything missing from my setup or anything that I can double-check.
Any help is greatly appreciated.
Regards,
Joe
Downloaded and installed packages from SunFreeWare.com:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
From Client LDAP, I am able to add users to Server LDAP, and ldapwhoami execution is also successful.
apggd04dev# ldapwhoami -H ldap://apggd06dev.pg.dtveng.net -x -W -D uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Enter LDAP Password:
dn:uid=jkly,ou=users,dc=pg,dc=dtveng,dc=net
Configuring for PAM:
- /etc/pam.conf:
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
Errors from /var/log/pamlog:
Mar 5 08:56:15 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:20 apggd04dev last message repeated 1 time
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 219349 auth.debug] pam_unix_auth: user jkly not found
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:20 apggd04dev login: [ID 285619 auth.debug] ldap pam_sm_authenticate(rlogin jkly), flags = 0
Mar 5 08:56:20 apggd04dev login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Mar 5 08:56:20 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error Error in underlying service module
Mar 5 08:56:20 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:authtok)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:ruser)
Mar 5 08:56:24 apggd04dev login: [ID 884769 auth.debug] PAM[3257]: pam_set_item(296b0:user_prompt)
Mar 5 08:56:24 apggd04dev login: [ID 601877 auth.debug] PAM[3257]: pam_authenticate(296b0, 0)
Mar 5 08:56:24 apggd04dev login: [ID 407395 auth.debug] PAM[3257]: load_modules(296b0, pam_sm_authenticate)=/usr/lib/security/pam_rhosts_auth.so.1
Mar 5 08:56:24 apggd04dev login: [ID 110225 auth.debug] PAM[3257]: pam_authenticate(296b0, 0): error No account present for user
Mar 5 08:56:24 apggd04dev login: [ID 386855 auth.debug] PAM[3257]: pam_get_user(296b0, 0, NULL) -
Managing ldap sub tree with Solaris Mnagement Console
Hi,
I'm using Sun ONE Directory Server 5.2 in Solaris 9 envronment.
I want to use Solaris Management Console to manage my Ldap Name Service.
On my ldap server I can display two scopes :
Scope 1 file:/example/example
Scope 2 ldap:/example/dc=example,dc=com
With SMC Editor I've created a toolbox to manage my ldap domain and I can manage users and groups only on trunk tree but not on the sub tree.
Does someone can tell me please if it's possible to display the ldap sub tree with SMC and if it's possible to manage other cotainers than people or group containers with SMC (for ex. netgroup container) ?
Thanks.
DraBy try and error I found out that even when I upgraded my
Sun ONE Directory Server 5.2 to patch level 2, the configuration
in the administration directory was not changed to the new
version. So one couldn't connect with the new console
version 5.2pl2 but used and needed the old one effectively.
To use the 5.2 pl 2 console there need to be the following
files in the client directory:
<root of sun ldap console>/java/jars/
ds522.jar (main console application)
ds522_en.jar (english language resources)
ds522_de.jar (german language resources, in my case, optional)
ds522.icon (icon used in the console)
and for the administration console:
admserv522.jar
admserv522_en.jar
admserv522_de.jar
admserv522.icon
The old file with the '52' in their name may stay where they
are to connect to unpatched 5.2 Servers and 5.2pl2 Servers
without updated configuration.
The configuration is under:
cn=ResourceEditorExtension, ou=4.0, ou=Admin, ou=Global Preferences, ou=zentrale.edekanet.de, o=NetscapeRoot
Search for the attribute 'nsclassname' in all subentries where there
is a substring '@ds52.jar' and change it to '@ds522.jar'.
With newer versions of the Sun Directory Server there are
even jar files with names like 'ds523.jar'. Proceed like above.
After the next start of the console you are using the new 5.2pl2
Versions with all bugfixes and enhancements. To verify you may
move the '52' files away, start and connect. If the directory server
is configured the right way it won't try to download the '52' files
to your local computer.
Frerk -
Hi, I am using a ldap DS5.2 server to authentication users on an application, though it seems that my usernames which are "all numeric" don't seem to be accepted through PAM.
When I run debug I see a " pam_authenticate(1e45450, 0): error Conversation failure"
When I add a letter in front of the username the authentication works fine.
Is there any way in which I could get this to work using "all numeric" usernames? And if yes how would that be possible?
Thanks.
-Ives-Hi, Roger
Is there no way around this? In fact My application (netcool/Mircomuse) uses PAM to run ldap authentication.
For another tool based on perl scripts we use LDAP authentication through a Perl module. With that perl module there is no problem in getting the "all numeric" username authenticated.
Is it possible to use this perl module in PAM somehow (the module is Net::LDAP)? And if yes could you or someone else tell me how this could be done?
Thanks a lot for your help.
Regards,
-Ives- -
Authentification LDAP/ AD ?
Hi,
I have this configuration:
BOXI 3.1 setup on a Windows Server 2008.
A server with Active Directory where a users group have been created.
I don't know how AD and LDAP work together. I reade on internet, that, AD is a LDAP directory (a Directory which use LDAP protocol) it is true?
So i would like to configure and authentification on BusinessObjects that allow users to login on InfoView/Designer by using their window logins(login created in the Active Directory).
What should i do?
Configure AD authentification on CMC ? or LDAP authentifcation ?
does someone make LDAP authentification? i tried to do it but i got an error when i click on button finish: The SecLdap have not been able to connect to the host.
thanks for your reply.Hi Coulio,
Generally speaking as you have an AD server you should be looking to configure the AD plugin in XI3.1 to enable your users to login with their AD accounts and facilitate SSO (single sign on).
There are many KBases and documentation around this area, but what you would need to do would be the following:
So there are 12 steps required to ensure a successful SSO configuration. Please let me know if you have any further questions, or if there is something unclear. Thanks.
Windows AD steps (please have AD team manage this)
1. Create and configure a Service Account
a. Create a user account -> login name: bossosvcacct
i. First Name: BO Service
ii. Last Name: Account
iii. Set password to not expire, User cannot change password.
b. Save.
2. Creation of SPNs for Service Account
a. Create 3 SPNs for Service account with following commands. Please replace u2018boservernameu2019 with the actual name, and FQDN with the actual Fully Qualified Domain Name. Replace IPADDRESS with the actual IP address of the BO Server. Leave u2018bossosvcacctu2019, it is required to bind the SPN to the Service Account we created above.
i. setspn u2013a HTTP\boservername bossosvcacct
ii. setspn u2013a HTTP\boservername.FQDN bossosvcacct (ie. setspn u2013a HTTP\myboserver.microgoogle.com bossosvcacct)
iii. setspn u2013a HTTP\IPADDRESS bossosvcacct
3. Run ktpass command to create *.keytab
a. Please run the following command:
i. ktpass -out bosso.keytab -princ HTTP/bossosvcacct.FQDN@FQDN u2013mapuser bossosvcacct@FQDN -pass PW_FOR_SERVICEACCOUNT -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
ii. replace PW_FOR_SERVICEACCOUNT with the password you entered for the BO Service Account you created in Step 1.
4. Permitting Delegation for Service Account
a. Once above steps are complete, go into properties of BO Service Account->Delegation.
i. Set Delegation to u201CTrust this user for delegation to any services (Kerberos only)
As a final step, please copy the keytab file that was created to a directory in the BO Server, add it to C:\WINNT, create it if it doesnu2019t exist there already.
BO XI3.1 Server steps:
5. Configure WinAD Authentication settings in the CMC
6. Edit Service Account in Local Policy Settings + Local Admin
7. Modify SIA to login with Service Account
8. Configure and add krb5.ini, bsclogin.conf, and bosso.keytab to C:\WINNT on BO Server.
9. Configure Tomcat Java Options
10. Modify the web.xml with all necessary changes
11. Modify server.xml with MaxHttpHeader change
I hope this is a very, very helpful answer.
Kind regards,
John -
How to fix pam config with solaris-backup-1
Hi,
I do an error on pam.d and i don't connect to my solaris.
I succeed in solaris-backup-1 but it's an archive.
So how to fix my pam.d config with solaris-backup-1
Thanks for your helpI do "beadm activate solaris-backup-1"
and i obtain with "beadm list" :
solaris-backup-1 NR / 5.43G static 2014-09-22 11:21
solaris-backup-1 is a back-up of the installation
I didn't find my files in /opt
So i activated/mounted solaris
beadm activate solaris
beadm mount solaris /mnt/solaris
I succeed in modify pam.d
Thanks -
Stacking Problem in pam.conf on Solaris 10 ?
Hi all,
I have pam.conf with enteries for
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
*other password required pam_dhkeys.so.1*
*other password requisite pam_authtok_get.so.1*
*other password requisite pam_authtok_check.so.1*
*other password required pam_authtok_store.so.1*
As per my understanding the
(I) SPI pam_authtok_get.so.1 is used to get the user credentials from password DB.
(II) SPI pam_authtok_check.so.1* is used to check if the new password supplied is satisfying the password policy on the OS ( by reading values from /etc/default/passwd )
(III) SPI pam_authtok_store.so.1* is used to store the newly entered password to password db.
Please correct me if I am wrong anywhere.
Now I have a requirement thar an application has to be wriiten which will just check that the entered password satisfies the password policies of the OS or not, but it should not update the password DB(should not store the password)
I make the following enteries in my pam.conf
osPasswdCheck password required pam_dhkeys.so.1
osPasswdCheck password requisite pam_authtok_get.so.1
osPasswdCheck password requisite pam_authtok_check.so.1
I removed the entry for pam_authtok_store.so.1 as I dont want to store the but when I run my application it always give error 20 authentication manipulation error.
please refer (/usr/include/security/pam_appl.h)
I have done all the formalities w.r.t writing a PAM Conversation funtion and the application is returning success when I add the pam_authtok_store.so.1 into the SPI
Please anyone can help me out.Is there is anyother way with which I can use my application just to check password (w.r.t. OS policy) .
I will be really thankful if anybody can provide me with working PAM Modules stack for achieving it.
Thanks in advcance.
Regards,
Rahul.
but I dont want to store it.Why not just keep the "pam_authtok_store.so.1" line in your pam.conf file and set it to a level of "requisite" or lower? I haven't tried it myself yet, but I've found that in the past when editing this file, completely removing a line rather than giving the PAM stack what it would expect to see with that line being there in some way can also cause problems.
-
Solaris 10 with PAM, OpenSSH and OpenLDAP
Hi all,
Due to the mix of Linux and Solaris machines, we decided to do OpenLdap and OpenSSH on the Solaris machines as well. All works fine on the Linux machines, but we cannot get PAM authentification to work on the Solaris machines. I have a user in the ldap database esawyja, when the user su esawyja, it works, but the user cannot ssh into the server.
test5:/ $ su esawyja
test5:/ $ whoami
esawyja
test5:/ $ exit
exit
test5:/ $ whoami
root
test5:/ $
test5:/ $ ssh -v [email protected]
OpenSSH_5.8p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to 10.1.1.5 [10.1.1.5] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 1b:42:5b:37:e4:86:99:e1:af:81:bc:64:c8:68:a6:98
debug1: Host '10.1.1.5' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Trying private key: /.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
from the debug parameter on the pam_ldap.so.1 in /etc/pam.conf, see below, I get the error pam_ldap: no legal authentication method configured
from /etc/pam.conf
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_unix_cred.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1 debug
Feb 17 14:48:19 test5.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd root), flags = 1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 800047 auth.info] Failed password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:48:42 test5.company.com sshd[11349]: [ID 800047 auth.info] Accepted password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:54:59 test5.company.com su: [ID 366847 auth.info] 'su esawyja' succeeded for root on /dev/pts/10
Feb 17 14:55:32 test5.company.com sshd[8939]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:55:36 test5.company.com sshd[11600]: [ID 800047 auth.error] error: PAM: Authentication failed for esawyja from 10.1.1.5
Feb 17 14:55:58 test5.company.com sshd[9612]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
In the slapd logfile I get this
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 384072 local4.debug] => access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 923158 local4.debug] => access_allowed: read access to "uid=esawyja,ou=People,dc=company,dc=com" "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [1]
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [2] cn=subschema
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 134411 local4.debug] => acl_get: [3] attr userPassword
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 105589 local4.debug] => slap_access_allowed: result not in cache (userPassword)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=esawyja,ou=People,dc=company,dc=com", attr "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 488679 local4.debug] => acl_mask: to value by "", (=0)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: self
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: *
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 279303 local4.debug] <= acl_mask: [2] applying auth(=xd) (stop)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 804284 local4.debug] <= acl_mask: [2] mask: auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access denied by auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 127828 local4.debug] => access_allowed: no more rules
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 572208 local4.debug] send_search_entry: conn 437 access to attribute userPassword, value #0 not allowed
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 823432 local4.debug] AND
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 679408 local4.debug] begin get_filter_list
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 694368 local4.debug] EQUALITY
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 274773 local4.debug] end get_filter 0
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
The user looks like this in the ldap database
test5:/var/log $ ldaplist -l passwd esawyja
dn: uid=esawyja,ou=People,dc=company,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: xxxxxxxxxxxxxxxxxxxxx
uid: esawyja
loginShell: /usr/bin/bash
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/admin/esawyja
shadowLastChange: 12193
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowInactive: 1
shadowExpire: 12999
gecos: Wynand
test5:/var/log $
PLEASE I need help, been at this for the last week and I'm out of ideas
ThanksI am not using OpenLDAP as a backend myself, I am using Sun/Oracle directory server. Initially this was version 5, and I have since upgraded to a mix of DS 6 and DS 7.
With Sun DS, you run the idsconfig command (/usr/lib/ldap/idsconfig) which helps configure the server with things like a client profile and appropriate access permissions (e.g compare password). it will also help configure a proxy account. Sun LDAP clients should NOT need a proxy account. Linux clients would need the proxy account. -
LDAP native solaris 10 server - client
Hi,
Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
anyway, what i did:
on the server:
a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
b. run idsconfig => this part goes without problem.
when i go to try to add a client with hostA.ldif as:
dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
changetype: add
cn: qates001
iphostnumber: 10.38.133.124
objectclass: top
objectclass: device
objectclass: ipHost
goes and gives me ldap_add: No such object.
and of course, when i go to the client and try to run
ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
if anybody can help, i really appreciate.
thank you,
./antonio/.I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
for the pam.conf, got things working.
Note: ensure that your user has the shadowAccount value set in the objectClass -
Hello All
We are in process to migrate to use LDAP.
Right now I have an DSEE6.1 using sasl/digest-md5 as authentication mechanism.
Sudo 1.6.8p12 is installed and was working until I moved all the local users to DS.
When I try to sudo, it ask me three times a password and drop stating that the password is invalid.
But, at same time, I'm able to authenticate using ssh.
Any ideas?This is still an issue.
Using the same pam.conf from Solaris 8 and 9 into a Solaris 10 does not result in the same behaviour.
I can login into the system but when using sudo i got the following message:
$ sudo su -
Password:
su: unable to set credentialsMy /etc/pam.conf looks like:
ogin auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass debug
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1 use_first_pass debug
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1 use_first_pass debug
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 use_first_pass debug
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1 debug
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
passwd auth binding pam_passwd_auth.so.1 debug server_policy
passwd auth required pam_ldap.so.1 try_first_pass debug
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account binding pam_unix_account.so.1 server_policy
loign account required pam_ldap.so.1 debug
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1 debug
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1 server_policy
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
ppp session required pam_unix_session.so.1
other session required pam_unix_session.so.1
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password sufficient pam_authtok_store.so.1 server_policy debug
other password required pam_ldap.so.1 debugAny ideas? -
Solaris 10 client - ldap_search: Can't connect to LDAP server
Hello
I have following configuration:
- openLDAP server in Solaris 10 zone called ldap
- native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
I can't get ldapsearch results after ldapclient initialization.
[root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
ldap_search: Can't connect to the LDAP server - Connection refused
But I am able to get data from LDAP server if address of the server is specified:
[root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
version: 1
dn: ou=users,dc=pov,dc=pl
objectClass: organizationalUnit
ou: Users
Here is ldapclient config:
[root@mail ~]# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.1.40
NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
What am I missing?Hi, I'm no exprert but I will try to help you. Are you still working on this?
This what my stuff looks like:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 10.0.1.21:389
NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
[root@light migration]# cat user00.ldif
dn: uid=user00,ou=People,dc=deathnote,dc=net
uid: user00
cn: user00
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 805
gidNumber: 501
homeDirectory: /home/user00
gecos: ldap user
Also update you hosts file and add your server to the domain.
I hope this helps.
Edited by: CyberNinja on Oct 22, 2011 12:37 PM
Maybe you are looking for
-
If we share one iTunes account can we have multiple iCloud accounts?
My children and I share one iTunes account. Can each one of us have our own iCloud account. We upgreaded the IOS and my daughter ended up with my contacts and hers. She deleted mine and now they are all gone. I want to avoid this issue in the fut
-
Boot Camp 2.1 Update: Error, would not install
I tried to update my Boot Camp to 2.1. The reasoning being, that my dimmer button, my volume button, etc does not work on my Windows Vista Ultimate Side. Other short cut keys worked (i tried): ie: Print screen via 'fn'altF11, etc However, when I inst
-
Regarding Copying of Data From Excel file to Web Dynpro Java Table
Hi Can any body give Suggestions that is how to copy or import Row and Column Values in the Excel file to the Java Web Dynpro Table Regards Chandran S
-
How do you remove plug-ins from a track?
This might sound stupid, but I don't know how to remove plug-ins from a track. Not only bypassing them, but removing them completley! Help anyone? Thanks!
-
Says my serial number is invald off the box i got
when try in stall my serial number it says it's invald i got the mumber off the box whats up