Ldap in solaris 11-11-11

Similar Messages

• Problems setting up ldap on solaris 10.

  when trying to set up LDAP on Solaris 10 I am asked for an LDAP profile and the address of the ldap server. I know the address of the LDAP server but what is the profile, and how do I set it up with active directory?

  Hi,
  The profile defines how the client will interact with the server. On a Solaris server, you set this file up with the /usr/lib/ldap/idsconfig command. On the client, you use ldapclient init -a profileName=xyz -a domainName=your.domain <server.ip.adderss.here:portno> portno not necessary if you are using port 389 on server. I'm not sure how you duplicate the functionality of that file from a Windows server. Maybe if you look at man page on idsconfig, it may help identify what needs to be done on Windows server to create a profile the Solaris client can use. I went to MS TechNet and searched for "ldap server for solaris client" A lot of hits. Hope this helps.
  John

• Sudo with LDAP NetGroups Solaris 10

  Hi All,
  Can some  one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
  I am using  "sudo  1.7.2p6 " right now.
  I am able to authenticate using  the Netgroups , but not able to using sudo.
  Thanks,
  DD

  I have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
  I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
  I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
  Can you provide the following details?
  1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
  2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
  3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
  4) Content of /var/ldap/ldap_client_file.
  5) Content of /etc/ldap.conf, you should have this file.
  6) Sample ldif showing some sudoRole entries in LDAP
  7) Can you perform these commands?
  ldaplist -l sudoers
  ldaplist -l sudoers root
  ldaplist -l sudoers some_sudoRole
  8) Content of /etc/pam.conf
  9) Any other relevant details, like err in /var/adm/messages.
  Gary

• LDAP and Solaris Authorization.

  Hi,
  Need some help. Can we do authorization of users with LDAP using PAM on Solaris. I am aware that we can use netgroups with LDAP for restricting access but is there any generic facility that can be used directly with PAM itself to restrict the users?
  All ideas are appreciated.
  Regards,
  Abrar

  I wonder anyone had successfully compiled pam_listfile.so (part of LinuxPAM) on Solaris8/9 and use it successfully in /etc/pam.conf as a mean of Authorization Control?
  ===
  # cat /usr/share/doc/pam-0.77/txts/README.pam_listfile
  SUMMARY:
  pam_listfile:
  Checks a specified item against a list in a file.
  Options:
  * item=tty
  * sense=allow (action to take if found in file,
  if the item is NOT found in the file, then
  the opposite action is requested)
  * file=/the/file/to/get/the/list/from
  * onerr=succeed (if something weird happens
  such as unable to open the file, what to do?)
  * apply=user
  restrict the user class for which the restriction
  apply. Note that with item=user this
  does not make sense, but for item=tty
  it have a meaning. (Cristian Gafton)
  Also checks to make sure that the list file is a plain
  file and not world writable.
  - Elliot Lee <[email protected]>, Red Hat Software.
  v0.9 August 16, 1996.
  ===
  Gary

• LDAP native solaris 10 server - client

  Hi,
  Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
  I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
  anyway, what i did:
  on the server:
  a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
  b. run idsconfig => this part goes without problem.
  when i go to try to add a client with hostA.ldif as:
  dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
  changetype: add
  cn: qates001
  iphostnumber: 10.38.133.124
  objectclass: top
  objectclass: device
  objectclass: ipHost
  goes and gives me ldap_add: No such object.
  and of course, when i go to the client and try to run
  ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
  if anybody can help, i really appreciate.
  thank you,
  ./antonio/.

  I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
  There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
  http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
  Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
  http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
  for the pam.conf, got things working.
  Note: ensure that your user has the shadowAccount value set in the objectClass

• Issues with LDAP Server | Solaris 8

  Hi All,
  In my project we are using Solaris 8 as LDAP server for authentication. Some folders owner and group is assigned to LDAP user by default. I think it should be root and others.
  Please find the below example:
  *8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 .
  *8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 ..
  6 -rw-rw-r-- 1 gip_admin ampm_retail_english_author 2062 Jan 22 14:03 archive
  2 drwxr-xr-x 2 root nobody 512 Aug 6 2003 cdrom
  2 drwx--l--- 3 gip_admin set_investors_author 512 Dec 9 07:33 data
  2 drwxr-x--- 2 root other 512 Nov 12 16:20 data1
  Can you please help me to solve this issue.....
  Thanks in Advance
  Manju

  Hi,
  Its is not mounted on NFS. It is local disk only.
  Its is Solaris 8 server.
  # ls -lan
  drwxr-xr-x 18 0 0 1536 Dec 11 05:00 .
  drwxr-xr-x 46 91550 94293 2560 Jan 11 10:37 ..
  -rw-rw-rw- 1 0 1 524204 Aug 2 2006 110951-06.jar
  drwxr-xr-x 2 0 1 512 Dec 11 05:01 Backup_files
  -rw------- 1 0 1 17 Apr 22 2005 DBVERSION
  drwxrwxr-x 2 101 2000 512 Oct 18 2004 DD
  drwxr-xr-x 2 0 1 512 Sep 19 2006 J2SEPatch-13092006
  #cat /etc/passwd
  root:x:0:1:Super-User:/:/usr/bin/bash
  daemon:x:1:1::/:
  bin:x:2:2::/usr/bin:
  sys:x:3:3::/:
  adm:x:4:4:Admin:/var/adm:
  lp:x:71:8:Line Printer Admin:/usr/spool/lp:
  uucp:x:5:5:uucp Admin:/usr/lib/uucp:
  nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
  listen:x:37:4:Network Admin:/usr/net/nls:
  nobody:x:60001:60001:Nobody:/:
  noaccess:x:60002:60002:No Access User:/:
  nobody4:x:65534:65534:SunOS 4.x Nobody:/:
  basant:x:1001:10::/apps/basant:/bin/sh
  tis:x:1003:1::/apps/tis/:/usr/bin/bash
  ldap:x:1004:100::/home/ldap:/bin/sh
  iwui:x:100001:60001:Interwoven TeamSite UI Daemons User:/apps/iw-home:/bin/sh
  oracle:x:1002:101: Oracle user:/apps/oracle:/bin/sh
  vadmin:x:100002:1::/apps/vadmin/:/bin/sh
  sshd:x:100003:2003:sshd privsep:/var/empty:/bin/false
  temp:x:111112:1::/home/temp:/bin/sh
  verity:x:111113:1::/apps/verity/:/usr/bin/bash
  test1:x:12312311:1::/home/test1:/bin/sh
  hai:x:12312312:1::/home/hai:/bin/sh
  #cat /etc/group
  [root@sun5-/opt]# cat /etc/group
  root::0:root,tomcat
  other::1:bpeditor,lpg_admin,lpg_author,lpg_publisher
  bin::2:root,bin,daemon
  sys::3:root,bin,sys,adm
  adm::4:root,adm,daemon
  uucp::5:root,uucp
  mail::6:root
  tty::7:root,tty,adm
  lp::8:root,lp,adm
  nuucp::9:root,nuucp
  staff::10:
  daemon::12:root,daemon
  sysadmin::14:
  nobody::60001:
  noaccess::60002:
  nogroup::65534:
  iplanet::100:
  dba::101:
  sshd::2003:
  apps::94356:
  testa::12312323:
  oat_users_test::12312325:
  Thanks

• Sun LDAP with Solaris

  Hi All,
  i have very simple and short query, Is Sun Directory comes bundled with Solaris 10 ? or we need to download explicitely.
  If we download that is a free version or we need to procure.
  Thanks
  Avninder

  Hi Avninder,
  No it does not come with Solaris 10, nor Solaris 10 current license gives you entitlement with support for it.
  Please go and download from www.sun.com/dsee
  Etienne

• Solaris 8/9 with LDAP

  I setup iplanet directory server in the Solaris 9. Solaris 9 client can get user account, automount data from LDAP, but , Solaris 8 can't get automount data,
  If cd /test4 , error message : permittion denied.
  How to fix it , or to get more information about it.
  as following is solaris 8 setting :
  Solaris 8 profile:
  dn: cn=sun8,ou=profile,dc=test,dc=com,dc=tw
  cn: sun8
  ObjectClass: top
  ObjectClass: SolarisNamingProfile
  SolarisBindDN: cn=proxyagent,ou=profile,dc=test,dc=com,dc=tw
  SolarisBindPassword: {NS1}c58916dc7d61179f7f
  SolarisLDAPServers: 172.20.100.103
  SolarisSearchBaseDN: dc=test,dc=com,dc=tw
  SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
  SolarisTransportSecurity: NS_LDAP_SEC_NONE
  SolarisSearchReferral: NS_LDAP_FOLLOWREF
  SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
  SolarisSearchTimeLimit: 30
  SolarisCacheTTL: 43200
  Solaris 9 profile :
  dn: cn=sun9v1,ou=profile,dc=test,dc=com,dc=tw
  ObjectClass: top
  ObjectClass: DUAConfigProfile
  defaultServerList: 172.20.100.103
  defaultSearchBase: dc=test,dc=com,dc=tw
  authenticationMethod: simple
  defaultSearchScope: one
  searchTimeLimit: 30
  cn: sun9v1
  credentialLevel: proxy
  attributeMap: automount:automountInformation=nisMapEntry
  attributeMap: automount:automountKey=cn
  attributeMap: automount:automountMapName=nisMapName
  objectClassMap: automount:automount=nisObject
  objectClassMap: automount:automountMap=nisMap
  AutoMount Entry:
  cn=/net,nisMapName=auto_master,dc=test,dc=com,dc=tw
  objectClass=nisObject
  objectClass=top
  cn=/net
  nisMapEntry=-hosts -nosuid,nobrowse
  nisMapName=auto_master
  cn=/home,nisMapName=auto_master,dc=test,dc=com,dc=tw
  objectClass=nisObject
  objectClass=top
  cn=/home
  nisMapEntry=auto_home -nobrowse
  nisMapName=auto_master
  cn=/xfn,nisMapName=auto_master,dc=test,dc=com,dc=tw
  objectClass=nisObject
  objectClass=top
  cn=/xfn
  nisMapEntry=-xfn
  nisMapName=auto_master
  cn=/-,nisMapName=auto_master,dc=test,dc=com,dc=tw
  objectClass=nisObject
  objectClass=top
  cn=/-
  nisMapEntry=auto_direct
  nisMapName=auto_master
  cn=/test4,nismapname=auto_direct,dc=test,dc=com,dc=tw
  objectClass=nisObject
  objectClass=top
  cn=/test4
  nismapentry=sun1:/export/test
  nismapname=auto_direct

  I just checked my schema and I've also converted 'NisMapEntry' to lower case.
  So when you do an 'ldaplist -l auto_home name' you get:
  dn: cn=name,nismapname=auto_home,o=org
  objectClass: top
  objectClass: nisobject
  nismapname: auto_home
  nismapentry: server:/export/home/&
  cn: name
  You can see where it's failing by running automountd in debug mode:
  /usr/lib/autofs/automountd -v -TT &
  # cd /home/name
  t1 LOOKUP REQUEST: Wed Sep 4 14:37:53 2002
  t1 name=name[] map=auto_home opts= path=/home direct=0
  t1 PUSH /etc/auto_home
  t1 getmapent_ldap called
  t1 getmapent_ldap: key=[ name ]
  t1 ldap_match called
  t1 ldap_match: key =[ name ]
  t1 ldap_match: ldapkey =[ name ]
  t1 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
  t1 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
  t1 ldap_match: __ns_ldap_list OK
  t1 getmapent_ldap: exiting ...
  t1 POP /etc/auto_home
  t1 mapline: server:/export/home/&
  t1 do_lookup1: action=2 wildcard=FALSE error=0
  t1 LOOKUP REPLY : status=0
  t6 MOUNT REQUEST: Wed Sep 4 14:37:53 2002
  t6 name=name[] map=auto_home opts= path=/home direct=0
  t6 PUSH /etc/auto_home
  t6 getmapent_ldap called
  t6 getmapent_ldap: key=[ name ]
  t6 ldap_match called
  t6 ldap_match: key =[ name ]
  t6 ldap_match: ldapkey =[ name ]
  t6 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
  t6 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
  t6 ldap_match: __ns_ldap_list OK
  t6 getmapent_ldap: exiting ...
  t6 POP /etc/auto_home
  t6 mapline: server:/export/home/&
  t6 do_mount1:
  t6 (nfs,nfs) /home/name
  server:/export/home/name penalty=0
  t6 nfsmount: standard mount on /home/name :
  t6 server:/export/home/name
  t6 ping: server timeout=15 request vers=3 min=2
  t6 pingnfs OK: nfs version=3
  t6 nfsmount: Get mount version: request vers=3 min=3
  t6 nfsmount: mount version=3
  t6 mount server:/export/home/name /home/name ()
  t6 mount server:/export/home/name dev=44c0006 rdev=0 OK
  t6 MOUNT REPLY : status=0, AUTOFS_DONE

• Solaris 10 + Samba + LDAP/PAM?

  Hi all,
  I've got a long standing question that I need answered with relation to setup of Samba + LDAP on Solaris 10. Here is the general gist:
  1. I've got a Solaris 10 host that is currently communicating with an OpenLDAP (OpenDirectory) master to provide user identity information. The Solaris 10 host simply acts as a place to have disk mounted via some large storage subsystems, which is then shared out via NFS to different places. Because I have used the ldapclient manual commands on the Solaris host, it understands UID's and GUID's from the OpenLDAP master
  2. I want to change things a little bit. What I'd like to do, is have samba sharing out disk/exports/shares from the Solaris 10 host, but use my OpenLDAP credentials for users to log into the system with
  What I'd like to know how to do is set up Samba on my Solaris 10 (x86) host so that a client can connect to it using their credentials stored on the OpenLDAP host, access their home directory etc.
  I don't think it will be too hard - as most of the work is done in terms of the LDAP binds. I have used the following binding technique to make the Solaris 10 host aware of the OpenLDAP directory:
  ldapclient -v manual -a credentialLevel=anonymous -a defaultSearchBase=dc=od-master,dc=example,dc=com -a serviceSearchDescriptor=passwd:cn=users,dc=od-master,dc=example,dc=com -a attributeMap=passwd:gecos=cn -a serviceSearchDescriptor=group:cn=groups,dc=od-master,dc=example,dc=com  192.168.0.1Because I've done this, I can now finger/id any UID or GUID that exists on the OpenLDAP host, and the Solaris host will know about it. The question is, how do I make samba aware of such things, let alone configure it to do so. I want users on their windows systems to simply be able to \\some.server.here.there\ and on their Mac OS X systems to smb://some.server.here.there with the credentials that are in the OpenLDAP master. There must be some simple way of telling samba where to get credential information from, right?
  Thanks for your time!
  z

  Update 2 is pretty old, especially if you are talking about ZFS. There's been a variety of problems fixed in ZFS since U2. Were I to just guess out of the blue, you might be running into the ZFS eats all of RAM bug.
  http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6505658
  If this is the case, it won't be just the samba server that's slow on the server. You should check this by doing the FTP after your samba server slows down and see if you get fast throughputs.
  -r

• Solaris 7 ldap client setup

  Hi,
  Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
  Thanking you,
  Naren

  hi mukherjee,
  you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
  No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
  PATEL

• Solaris 9 10 - pam.conf - LDAP - su - user login - DS 6.3.1

  We are trying to configure our Solaris clients to use LDAP for authentication. We have modified the nsswitch.conf and pam.conf. The pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_cred.so.1
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass debug
  dtlogin auth requisite pam_authtok_get.so.1
  dtlogin auth required pam_dhkeys.so.1
  dtlogin auth binding pam_unix_cred.so.1
  dtlogin auth binding pam_unix_auth.so.1 server_policy
  dtlogin auth required pam_ldap.so.1 use_first_pass debug
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1 use_first_pass debug
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_dial_auth.so.1
  ppp auth required pam_ldap.so.1 use_first_pass debug
  dtsession auth requisite pam_authtok_get.so.1
  dtsession auth required pam_dhkeys.so.1
  dtsession auth binding pam_unix_auth.so.1 server_policy
  dtsession auth required pam_ldap.so.1 debug
  other auth requisite pam_authtok_get.so.1 debug
  other auth sufficient pam_dhkeys.so.1 debug
  other auth binding pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  passwd auth required pam_passwd_auth.so.1 debug server_policy
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  dtlogin account requisite pam_roles.so.1
  dtlogin account required pam_projects.so.1
  dtlogin account binding pam_unix_account.so.1 server_policy
  dtlogin account required pam_ldap.so.1 debug
  ppp account requisite pam_roles.so.1
  ppp account required pam_projects.so.1
  ppp account required pam_unix_account.so.1 server_policy
  other account requisite pam_roles.so.1
  other account required pam_projects.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1 debug
  ppp session required pam_unix_session.so.1
  other session required pam_unix_session.so.1
  other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password sufficient pam_authtok_store.so.1 server_policy debug
  other password required pam_ldap.so.1 debug
  The issue we are having is that the DS is configured to force a password change after an administrator reset. If we change the lines:
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1 debug
  to
  other account binding pam_ldap.so.1 debug
  other account required pam_unix_account.so.1 server_policy
  we get the prompt to change the password. But at that point a non-root user can not su to any other user.
  Does anyone have any ideas? Also, we are trying to configure a Linux client to do the same thing, but can't get the system-auth file correct either.
  Edited by: jason.hershcopf on Apr 2, 2009 6:32 PM

  Hi Jason,
  Wondering if you got an answer for this. I am having similiar issues with LDAP on Solaris 10.
  Any feedback will be of great help.
  Thanks!

• Native ldap client doesn't work with an openldap Server : No root DSE data

  Hello!
  My configuration :
  - an openldap 2.2.23 server (linux debian) (server name = serv_annu)
  - a ldap client (solaris 10) (server name = client_annu)
  I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
  I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
  FROM CLIENT_ANNU:
  +# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
  version: 1
  dn: dc=mydomain,dc=fr
  dc: mydomain
  objectClass: top
  objectClass: dcObject
  objectClass: organization
  objectClass: nisDomainObject
  nisDomain: mydomain.fr
  o: mydomain
  LOG FROM SERVER_ANNU:
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
  1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
  2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
  3) I Add ACL in slapd.conf to allow reading of rootDSE.
  access to dn.base="" by ssf=128 * read
  4) I launch on my solaris client
  crle -u -s /usr/lib/mps
  crle -64 -u -s /usr/lib/mps/64
  5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
  +# ldapclient list+
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
  +NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
  NS_LDAP_SERVERS= server_annu
  NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_CREDENTIAL_LEVEL= anonymous
  NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
  Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
  FROM CLIENT_ANNU:
  svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
  +/etc/init.d/nscd stop;/etc/init.d/nscd start+
  LOG FROM SERVER_ANNU:
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
  FROM CLIENT ANNU :
  +# /usr/lib/ldap/ldap_cachemgr -g+
  cachemgr configuration:
  server debug level 0
  server log file "/var/ldap/cachemgr.log"
  number of calls to ldapcachemgr 2
  cachemgr cache data statistics:
  Configuration refresh information:
  Previous refresh time: 2008/04/02 09:58:12
  Next refresh time: 2008/04/02 21:58:12
  Server information:
  Previous refresh time: 2008/04/02 09:58:32
  Next refresh time: 2008/04/02 09:58:33
  server: server_annu, status: ERROR
  error message: No root DSE data returned.*
  Cache data information:
  Maximum cache entries: 256
  Number of cache entries: 0
  My problem is why I get the following error message : No root DSE data returned.
  Thanks in advance for your help!

  Hi
  Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
  Regards,
  Ludovic.

• Able to su from root to ldap accounts but account passwords come back as incorrect otherwise?

  Hi,
  I've installed DSEE 11.1.1.7.2 and I set up a few test ldap clients, Solaris 10, Solaris 11, and Oracle Linux. From root on any of these boxes I can su to the ldap accounts but if I try to ssh or su - from one test account to another I get a incorrect password.
  I also have a test Sun 7.0 Directory Server running and using the same Solaris 10 client I can do a ldapinit to it and authenticate fine with the test accounts. I'm using the same scripts to create accounts and passwords on both versions. I looked through the default password policies between the two and don't see any differences and I'm not getting anything showing up in the logs. Has anyone seen this type of issue before?
  Thanks

  Hello,
  This post http://serverfault.com/questions/576265/solaris-pam-ldap-authentication-using-sshd-kbdint-and-failing might be useful.
  -Sylvain
  Please mark the response as helpful or correct when appropriate to make it easier for others to find it

• Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail

  Hello all,
  We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
  The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
  Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
  That is, if we just take strings like these:
  usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
  usecrypt:DD2kEwCD8nies:10220::::::
  Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
  If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
  Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
  Thanks,
  //Jim

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• LDAP Mobile Users & Password (not) Syncing

  Hi folks, we are starting to enable LDAP for our notebook users and have one issue that hopefully someone has some advice on.
  We're using a Linux based LDAP server, 389 Directory Server.
  Our users can authenticate, login, we make them admins, and enable the mobile user account.
  It works well until they change their password on LDAP via our web interface.
  Their new password works for Lion so long as they are on our network.  Once they take their notebook away and can't reach our ldap anymore, the mobile user account will only accept their original ldap password.
  It seems as if the passwords are not being synced/cached locally.  I just discovered this before coming home for the weekend and hope to have a few hints to get going on Monday if anyone has a suggestion.
  One last thought is that we turn off Home Directory Sync because we're not using network based home directories yet (set it to manual in Mobile Accounts). Would that also disable password syncing except when a manual sync happens?
  Thanks folks!

  Hi Steve.
  We have mobile accounts turned on, but we do not have home directory synching. Faculty/Staff, must at least once, login with their mac while on our campus network. This authenticates the faculty/staff against our LDAP server (Solaris) and "caches" their credentials using the Mobile user feature of Lion. Once they login in once the can then go off campus and use that password to log into their machine, do updates, whatever.
  The issue we have is when someone changes their LDAP password from our "web account tools" page it is spotty on the LDAP Snyc with the machine.
  Hope that helps
  -DK