Ldap client in Solaris using TLS

I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
My LDAP clients are
- Linux (redhat and mandriva)
- Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
- Tru64 (5.1B)
If a use simple authentification all works fine (search in LDAP,
authentification and automount).
However, when I use TLS the Solaris LDAP client doesn't seem to work.
When I run the LDAP client the process freeze
With my Linux and Tru64 clients all work fine using LS.
I have downloaded the certificates from my LDAP server using Netscape browser.
I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
"chmod 644" in this files.
I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
The last logs of the ldap_cachemgr are:
Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
If I do a truss when I launch the client the
result was this:
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
This is my ldap_client_file:
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= srvldap
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= tls_profile
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
Does anyone have an idea on getting Solaris using TLS/SSL?
Thanks.

LDAP Setup and Configuration Guide
Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
[http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
Download this book in PDF (557 KB)
[http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

Similar Messages

Hi Can anyone guide me configure LDAP client in solaris 8 server.

Hi,
I am already having the solaris 8 LDAP master server. We have new server which i need to confgure as a client to that master server.
Can any one help me to configure the same.
Thanks in Advance....
Bala......

LDAP Setup and Configuration Guide
Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
[http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
Download this book in PDF (557 KB)
[http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

LDAP client for solaris 9 with ds5.2 on other box

Hi
I have ds5.2 installed on Box1. I am trying to configure ldapclient on solaris 9 box. I want this to point to existing ldap server for authentication. Sun documentation is not clear about how to do that ? as some of the switches mentioned with ldapclient doesn't work. Most of the solutions I saw are on integrated solaris 9 ds server configuration. e.g idsconfig etc. I am not finding how to do basic authentication of solaris9 cient with any ldap server (ds5.2) installed on some other box.

The syntax of ldapclient changed in Solaris 9 (at least by 9 12/03). You now specify it like this:
# ldapclient -v init -a profileName=cn=myProfile,ou=profile,dc=example,dc=comIf you're using Proxy Authentication add the following:
-a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com -a proxyPassword=ClearTextPWYou should have been able to create a profile (storing it in the DIT) when you ran idsconfig. If you took the default name of "default" (cn=default,ou=profile,dc=example,dc=com) you might not even have to specify the profile name to ldapclient.
To generate a new profile and store it in the DIT use:
$ ldapclient -vgenprofile -a profileName=cn=myProfile,ou=profile,dc=example,dc=com -a defaultSearchBase=dc=example,dc=com ...With your various attributes for your profile as specified in ldapclient(1M).
As for pam, you have to decide which you're going to use: pam_unix or pam_ldap. Note that the Solaris pam_ldap is very different from the PADL pam_ldap used under Linux and elsewhere (this makes it easy to find apparently conflicting advice).

Solaris 7 ldap client setup

Hi,
Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
Thanking you,
Naren

hi mukherjee,
you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
PATEL

Solaris ldap client problem (tls:simple + anonymous)

Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0? I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

Hi,
While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

Has anyone set up a Solaris 8 LDAP client to use with iPlanet DS 5.0? I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

help with client
error on ldap_client_file
ldap_client_cred

Hi,
Yes it can be done provided U've given proper information during configuring.The sun machine which is to be used as a client should be installed as a ldap client "at the time of installation ldap client option should be chosen.

LDAP client with TLS

LDAP gurus
I'm having problems to setup LDAP client to use TLS:SIMPLE. SIMPLE and SASL/DIGEST-MD5 are working fine (with or without Proxy).
For some reason, a self-certified certification is not acceptable by the client (TLS certificate verification: Error, self signed certificate).
Certificate is located at /var/ldap/cert8.db
Client is Sun LDAP Native.
[SunOS 5.10/bash] root@wgls01:/root
# /usr/local/bin/ldapsearch -Z -H ldaps://wgtsinf01:1636 -v -d 65535
ldap_initialize( ldaps://wgtsinf01:1636 )
ldap_create
ldap_url_parse_ext(ldaps://wgtsinf01:1636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP wgtsinf01:1636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.64.47.50:1636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00   .z....Q... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0   8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03   ..3..2../.......
0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00   ................
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08   ......@.........
0050: 00 00 06 04 00 80 00 00 03 02 00 80 5b ca 46 06   ............[.F.
0060: 60 e0 bc 9e a2 af 25 a2 55 0a 53 e7 f0 1a fc 6e   `.....%.U.S....n
0070: c6 7b de f1 79 7e b1 ce 15 14 1a 8e               .{..y~......
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 03 b3 02 00                               .......
tls_read: want=945, got=945
0000: 00 46 03 01 46 b2 73 ba 42 d1 b3 35 54 a1 26 f8   .F..F.s.B..5T.&.
0010: 76 87 77 90 c1 92 c3 e4 88 a0 47 bc cc 52 01 bb   v.w.......G..R..
0020: 34 85 b1 2d 20 46 b2 73 ba cd 16 16 a6 e6 9a a3   4..- F.s........
0030: c2 af 1b 60 ed e7 0d ad 32 69 0d c3 41 64 31 4e   ...`....2i..Ad1N
0040: 3e ff bd c4 0a 00 16 00 0b 00 01 ae 00 01 ab 00   >...............
0050: 01 a8 30 82 01 a4 30 82 01 0d 02 04 46 ad 48 df   ..0...0.....F.H.
0060: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30   0...*.H........0
0070: 19 31 17 30 15 06 03 55 04 03 13 0e 77 67 74 73   .1.0...U....wgts
0080: 69 6e 66 30 31 3a 31 33 38 39 30 1e 17 0d 30 37   inf01:13890...07
0090: 30 37 33 30 30 32 31 31 34 33 5a 17 0d 30 39 30   0730021143Z..090
00a0: 37 32 39 30 32 31 31 34 33 5a 30 19 31 17 30 15   729021143Z0.1.0.
00b0: 06 03 55 04 03 13 0e 77 67 74 73 69 6e 66 30 31   ..U....wgtsinf01
00c0: 3a 31 33 38 39 30 81 9f 30 0d 06 09 2a 86 48 86   :13890..0...*.H.
00d0: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81   ...........0....
00e0: 81 00 a9 f7 de 93 85 50 13 6b a1 18 96 3d 00 2d   .......P.k...=.-
00f0: 64 5d a9 65 72 33 c3 44 b6 1e 0e 6b b8 4b e0 a4   d].er3.D...k.K..
0100: 0a 6b 7f 4f 1a ae f3 d7 8e ed 8e fd c7 d0 48 b1   .k.O..........H.
0110: f0 45 2d 74 52 a9 d1 fd d4 89 ad 64 d9 82 6b e9   .E-tR......d..k.
0120: 73 b1 55 cb 38 20 06 e6 4f a3 d3 f2 0b a1 5b 2e   s.U.8 ..O.....[.
0130: b4 43 bc 9a 93 e6 b7 47 dd 58 f2 cb 59 17 8a c0   .C.....G.X..Y...
0140: 13 aa 8a 5f ef 11 33 c7 02 53 d8 b1 20 e3 5b 6d   ..._..3..S.. .[m
0150: 4f ea 4f a6 9d 02 d2 39 69 ed e0 b9 70 d9 51 50   O.O....9i...p.QP
0160: 4e 2b 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7   N+.....0...*.H..
0170: 0d 01 01 04 05 00 03 81 81 00 02 d6 e1 3d f7 41   .............=.A
0180: 64 69 c5 f3 b7 77 93 99 10 80 4d aa b9 1f 7a 28   di...w....M...z(
0190: c2 33 4e 42 d2 47 7c 53 00 6e 7d 13 3b e3 56 19   .3NB.G|S.n}.;.V.
01a0: 35 93 4b 6d cd 4c 52 57 aa ba e2 f6 e0 46 a4 f2   5.Km.LRW.....F..
01b0: 5c a7 be be b2 40 6f 9a 33 f0 dc b5 de 55 3c 8e   \[email protected]<.
01c0: 2a 19 15 eb 6c 6f 03 ef a5 c1 01 e3 d6 10 b7 64   *...lo.........d
01d0: 7d dd 24 87 60 a7 e3 5f 24 a1 ea 0a 66 fa d4 49   }.$.`.._$...f..I
01e0: 71 65 21 53 94 ad be 0c b9 52 b6 78 67 87 b8 38   qe!S.....R.xg..8
01f0: 11 59 b2 47 b6 c9 23 f8 d8 cc 0c 00 01 89 00 80   .Y.G..#.........
0200: f4 88 fd 58 4e 49 db cd 20 b4 9d e4 91 07 36 6b   ...XNI.. .....6k
0210: 33 6c 38 0d 45 1d 0f 7c 88 b3 1c 7c 5b 2d 8e f6   3l8.E..|...|[-..
0220: f3 c9 23 c0 43 f0 a5 5b 18 8d 8e bb 55 8c b8 5d   ..#.C..[....U..]
0230: 38 d3 34 fd 7c 17 57 43 a3 1d 18 6c de 33 21 2c   8.4.|.WC...l.3!,
0240: b5 2a ff 3c e1 b1 29 40 18 11 8d 7c 84 a7 0a 72   .*.<..)@...|...r
0250: d6 86 c4 03 19 c8 07 29 7a ca 95 0c d9 96 9f ab   .......)z.......
0260: d0 0a 50 9b 02 46 d3 08 3d 66 a4 5d 41 9f 9c 7c   ..P..F..=f.]A..|
0270: bd 89 4b 22 19 26 ba ab a2 5e c3 55 e9 2f 78 c7   ..K".&...^.U./x.
0280: 00 01 02 00 80 7c 11 c6 db 8a 23 1b 2d a3 e3 5d   .....|....#.-..]
0290: f0 30 4c 20 35 c1 95 fc 71 eb c2 92 00 02 a9 05   .0L 5...q.......
02a0: c5 10 4e 75 ef ca 35 aa bb 38 14 fa 38 c3 71 e4   ..Nu..5..8..8.q.
02b0: 16 a4 87 d5 2f e7 a5 7c b4 b8 a0 ee cf 53 ab c2   ..../..|.....S..
02c0: 6b f4 79 59 d5 f9 07 70 77 97 89 eb b6 c6 74 df   k.yY...pw.....t.
02d0: 26 57 5c 42 1a 95 13 e3 c5 28 b7 6c c2 6f 2e 65   &W\B.....(.l.o.e
02e0: 5d c3 c8 a9 cf 8e 09 cc aa 42 eb f7 a7 3b c3 5d   ]........B...;.]
02f0: be cd e3 71 2b 46 a2 80 72 a3 48 ae 52 b4 ce c2   ...q+F..r.H.R...
0300: 69 1f 40 e7 94 00 80 03 b2 a4 66 2f 34 c1 60 46   [email protected]/4.`F
0310: 05 9d 83 7f f9 75 29 07 36 60 8b b0 ae 1c ce e8   .....u).6`......
0320: 5f b4 0e 26 54 1c 31 b7 94 e2 58 6e 33 76 ce 19   _..&T.1...Xn3v..
0330: e0 07 f5 ca cc a9 d3 53 d5 22 4a 3a 31 15 f4 7e   .......S."J:1..~
0340: 34 ba 3b 92 c0 ec 75 8e 0f d8 e4 44 23 91 70 cb   4.;...u....D#.p.
0350: d9 f9 40 ac 7c 0e 97 27 1d 24 b5 ff f2 13 bd 64   ..@.|..'.$.....d
0360: aa 10 40 1c 68 6f b2 87 14 c2 ef 88 bb 9c 88 24   [email protected].........$
0370: 5f 6b 9e c5 2b fb c2 d1 b3 ce 6e 8d b7 57 bf 88   _k..+.....n..W..
0380: ee b9 fd d6 f3 a0 f3 0d 00 00 22 02 01 02 00 1d   ..........".....
0390: 00 1b 30 19 31 17 30 15 06 03 55 04 03 13 0e 77   ..0.1.0...U....w
03a0: 67 74 73 69 6e 66 30 31 3a 31 33 38 39 0e 00 00   gtsinf01:1389...
03b0: 00                                                 .
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /CN=wgtsinf01:1389, issuer: /CN=wgtsinf01:1389
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
    supportedSASLMechanisms
ldap_send_initial_request
ldap_send_server_request
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedAny ideas?
Andreas

Hello David,
Let's follow your suggestion and try to put Solaris 10 use TLS:SIMPLE now. Sorry for the extreme long log entries but I tried to capture everything during the authentication process.
My client has an IP address of 10.64.47.11 and the DS server is using the IP address of 10.64.47.50.
a) Sun native LDAP configurations:
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ls -la *db
-rw-r--r--   1 root     root       65536 Aug 8 14:46 cert8.db
-rw-r--r--   1 root     root       32768 Aug 8 14:46 key3.db
-rw-------   1 root     root       32768 Aug 2 16:56 secmod.db
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com
NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
NS_LDAP_BIND_TIME= 30
b) Output from DSEE6.1 error log file:
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=group,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixGroup)(memberUid=p642929))" attrs="cn gidNumber userPassword memberUid"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x1000
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=5 attrsonly=0 filter="(|(objectClass=*)(objectClass=ldapSubEntry))" attrs="1.1"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13

Ldap authentication on solaris 8 client

I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
# ssh -v user@localhost
SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.
host: Reading configuration data /etc/ssh_config
host: ssh_connect: getuid 0 geteuid 0 anon 0
host: Allocated local port 1023.
host: Connecting to 127.0.0.1 port 22.
host: Connection established.
host: Remote protocol version 1.5, remote software version 1.2.27
host: Waiting for server public key.
host: Received server public key (768 bits) and host key (1024 bits).
host: Forcing accepting of host key for localhost.
host: Host '127.0.0.1' is known and matches the host key.
host: Initializing random; seed file /root/.ssh/random_seed
host: Encryption type: idea
host: Sent encrypted session key.
host: Installing crc compensation attack detector.
host: Received encrypted confirmation.
host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
host: Server refused our rhosts authentication or host key.
host: No agent.
host: Doing password authentication.
[email protected]'s password:
Permission denied.
This is the pam.conf I use:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ppp auth required pam_unix_auth.so.1
Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
Any ideas?

No, my problem seems different.
The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
Thanks,
--xinhuan

LDAP setup with SSL - Can't use tls auth type

I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
Jay

When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts).

Ldap client with directory server 6.0 on solaris 9 systems

I have a directory server 6.0 running on a solaris 9 system. I have set up idsconfig, vlvindex and certificate database on the server side. The client ldap I am trying to set up is also solaris 9 system. I have set the certificate database on this ldap client using the Resource Kit certutil and import the server certificate to client certificate database. It seems the TLS secure connection did work between LDAP server and client. (I use the Resource Kit ldapsearch command to test it) I use 'ldapclient -v init ...' command using 'profileName=tlsprofile' to initialize the LDAP client and the information returned from that command said LDAP client configed sucsessfully. But when I run ldapaddent command to import /etc/passwd. I got error:
Passwd container does not exist.
The ldapaddent command I ran like this:
ldapaddent -v -f <passwd file> -D "cn=Directory Manager" passwd
Then I tried to use 'ldapclient -v manual ....' command to set up LDAP client. That command finishes succefully. But I still can not import /etc/passwd using ldapaddent with same error.
What is wrong with my set-up?
Thanks,
--xinhuan

I looked into the /var/adm/messages, and I have the following error:
ldap_cachemgr[1640]: [ID 605618 daemon.error] libldap: CERT_VerifyCertName: cert server name 'directory server' does not match 'hostname.mycompany.com': SSL connection denied
It seems I have problem with SSL certificate set-up. I did generate the server side 'hostname.mycompany.com' certificate then use the Resource Kit certutil import that certificate to the client side. Is that right way to do?
Thanks,
--xinhuan

Proxy agent in solaris ldap client

Since ldap service provides naming service, that is supposed to be accessed by anyone who needs it, I don't know why we need a proxy agent when we set up solaris ldap client. The anoymous credential level is enough.
Also in order to use proxy agent, this agent needs to have at least read access to all naming entries, including userPassword, encrypted or clear-text. This adds some sort of in-security. While service authentication method "simple" will simply bind to the ldap server using provided password. Of course, you can still add another layer of security by using TLS.
So, can anyone explain this design a little more?
Thanks.

My input on this subject may seem a bit paranoid, but that's what I get paid for, so take this with a gain of salt 8-)
The proxy agent does not need to have read access to the userPassword attribute if you configure your clients to use pam_ldap instead of pam_unix. pam_unix retrieves the userPassword attribute by making a call to getspnam. With pam_ldap, the user dn and password are sent to the directory server in an auth structure, and the directory server will return success or failure to the client for that login attempt. More info on this can be found at http://docs.sun.com, or in the book "LDAP in the Solaris Operating Environment, Deploying Secure Directory Services" by Michael Hains and Tom Bialaski (ISBN 0-13-145693-8) pgs 177-179.
Use of the proxy agent can actually increase the level of security for your directory server. With the proper ACI's in place not allowing anonymous binds to view the data in the tree (or only view a small subset of the tree), you can prevent anyone from dropping a laptop or other device on your network and data mining your LDAP tree for information (ie vendors, guests, etc). That won't stop those same people from snooping the traffic on your network, so the use of secure protocols are the other side of that, but implementing tls:simple authentication for the directory server and clients is not that difficult, and should be considered for any deployment of LDAP for use as a naming server.
I do agree with your assessment that in an environment where anonymous binds are accecptable the use of the proxyagent is probably not warrented, but in my experience having the proxyagent has allowed me to tighten the security of my directory implementation .

Using tls:sasl/DIGEST-MD5 with client authentication

Hi
Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
These work with ldapsearch with -Z -p options to get data securely through port 636.
But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
i get :
Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
Must i use Certificate based Authentication instead?
Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?

Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
Client configured with this:
ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
Profile:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 172.18.2.19
NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
NS_LDAP_AUTH= sasl/DIGEST-MD5
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
messages log on client:
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
Jan 14 08:00:32 panzer last message repeated 1 time
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
error log on server:
[14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
[14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
[14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
Not sure why i get Invalid credentials, the passwords
are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.

Solaris 10 LDAP Client: libsldap: Status: 4

Hi everybody.
I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
What I have done is changed the value:
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
Where <hostname> is the respective hostname.
After that, everything works as I expect, but I get a lot of these messages:
sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
Should I ignore the messages? This is the nsswitch.conf file:
/etc/nsswitch.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files ldap
group: files ldap
hosts: cluster files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: cluster files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
user_attr: files
I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
Any suggestions?

What would I do without google?
http://prefetch.net/blog/index.php/2005/01/
I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

Ldap client in Solaris using TLS

Similar Messages

Maybe you are looking for