Openldap-2.4.32 PAM authentication on Solaris 10

Similar Messages

• PAM Support fpr Solaris SGD 4.3

  Hi,
  where can I find more informations howw to integrate PAM Support under Solaris SGD 4.3
  I read in the relase notes:
  Support for PAM for UNIX User Authentication
  Secure Global Desktop now supports PAM (Pluggable Authentication Modules) for UNIX user authentication. The change affects the following login authorities:
  * ENS
  * UNIX User
  * UNIX Group
  Secure Global Desktop uses PAM for user authentication, account operations and password operations.
  When you install Secure Global Desktop on Linux platforms, Setup automatically creates PAM configuration entries for Secure Global Desktop by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for Secure Global Desktop (tarantella) in the /etc/pam.conf file if required.
  Using PAM gives Secure Global Desktop Administrators more flexibility and control over UNIX user authentication, for example by adding new login tests, account limits, or valid password checks.
  But how this should be done, I could not find out....
  Regards
  Lukas

  Hi,
  Yes I now that. Pam is allways configured via Operating System. But where can I find some documentation how to configure pam to allow unix authentication against the ssgd.
  I do not want to create a unix user for each sgd user (ldap) which is using a AS 400 connection or a classroom object. So I that this could be done via PAM Module for ssgd
  Thanks for further advise.

• PAM authentication failure when attempting to run job

  I'm attempting to run a scheduled job from grid control (version 10.2.0.5.0) against a Solaris server and it keeps failing with:-
  Error Log
  ERROR: Invalid username and/or password
  Output Log
  LOG: Local Authentication Failed...Attempt PAM authentication...PAM failed with error:
  Despite entering an os username and password into the preferred credentails for this server which work when I try to logon to using putty, I can't connect to the server using the preferred credentils screen either. However, the agent can upload data without any problems. Can anyone point me in the correct direction as towards a resolution for this issue.

  Thanks for the information, Oracle support came up with this technical note also. Its a bit strange as it mentions using the shared object for ldap in the pam.conf even though I'm not using ldap. Out of interest, do you use grid control, Solaris and pam authentication ?

• Samba - pam authentication

  Hi Everybody,
  We are upgrading to samba-3.0.2a with SEAM kerberos and iPlanet Directory ldap server support. All the three servers runs in three different physical solaris machies. We are able to connect the samba and ldap. We are trying with security=user option in samba . For kerberos support, we thought of a solution of authentication via pam -pamkrb5 module. but samba fails for a pam authentication and it never contacts the kerberos server. actually we traced out the function calls which tries for authentication, which sends a pam handler with null passwords for authentication.
  pls refer source/auth/auth.c and source/auth/pampass.c which functions like smb_pam_accountcheck which pam_acctmgmt() sending a pamhandler pointer pamh.
  The samba code has pointer pamh referring to the sturucture called pam_handle_t . For the structure pam_handle_t , we found a type definition pam_handle in security/pam_appl.h . and no more information in pam_handle is available. Is the solaris pam modules lacks some files or our installation of solaris lacks some files?
  Any suggestions to proceed with pam authentication would be really helpful
  regards
  eccsamba

  I'm having similar problem. In my case, it appears to be configure issue within samba. I'm using
  configure --with-pam
  But when it 'checks' pam_modules.h, it fails because it lacks definitions found in pam_appl.h. It appears to check these files independently, when it should consider them together. I'm currently looking for a way to short-circuit the configure's concerns for pam_modules.h. Mark

• OpenSSH 4.4p1 packages with PAM support for Solaris 9, 10

  As mentioned in a previous post* , I've compiled OpenSSH packages with PAM support for Solaris 9 and 10. They've since been updated to version 4.4p1, and are compiled against a static zlib (1.2.3) and OpenSSL (0.9.8c). You can find them here:
  http://firewallworks.com/downloads/unsupported/Solaris-sparc/
  Regards,
  Greg
  * http://forum.sun.com/jive/thread.jspa?threadID=103378&tstart=105

  Yes, zlib 1.2.3 is a requirement. In facts, zlib mentions a 2005 vulnerability fix but I found no matching patch in sunsolve. See
  http://www.kb.cert.org/vuls/id/JGEI-6E7RC3
  I have been wandering whether to replace the official zlib. Linking statically is probably a better idea. Thanks

• PAM authentication of OS X GUI

  According to http://images.apple.com/macosx/pdf/MacOSXLeopard_SecurityTB.pdf on page 2, Leopard supports PAM authentication from the GUI layer. In other words, can I set up my own custom stack of PAM modules and expect loginwindow and the rest of the GUI elements to consult PAM for username/password info?
  This was not the case with OS X 10.4 (Tiger) and earlier, or at least it wasn't obvious how to do it.
  I know you can set up UNIX services to use PAM, however that's not what I'm looking for. I want to be able to log on to a OS X 10.5 machine using PAM.
  Thanks!

  I'd suggest redrawing those with the path tool and stroke/paint. The lines are very thin, and I don't think they'll display well on TV....
  Spend a little time with the path tool and it'll become second nature. Also, for enclosed icons (like the arrows, ?, and pointer hand), you may be able to key out the bg and autotrace it, to get a pretty good bezier mask representation (apply it to new layer).
  Glad to see you got your name sorted out... :P

• PAM authentication failed on linux while installing MaxDB Database

  Seeing following errors in sapinst.log
  INFO 2007-03-29 16:25:23
  Account sqdln1 already exists.
  ERROR 2007-03-29 16:25:25
  The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
  ERROR 2007-03-29 16:25:25
  The dbmcli call for action DB_CREATE failed. Check the logfile XCMDOUT.LOG.
  ERROR 2007-03-29 16:25:25
  FCO-00011  The step sdb_create_db_instance with step key |NW_Doublestack_DB|ind|ind|ind|ind|0|0|NW_CreateDBandLoad|ind|ind|ind|ind|9|0|NW_CreateDB|ind|ind|ind|ind|0|0|NW_ADA_DB|ind|ind|ind|ind|6|0|SdbPreInstanceDialogs|ind|ind|ind|ind|3|0|SdbInstanceDialogs|ind|ind|ind|ind|1|0|SDB_INSTANCE_CREATE|ind|ind|ind|ind|0|0|sdb_create_db_instance was executed with status ERROR .
  And the XCMDOUT.LOG has following error:
  ERR
  -24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
  -24994,ERR_RTE: Runtime environment error
  5,PAM authentication failed: Authentication failure
  Here's the snippet from /etc/group
  sapinst:x:500:root,ln1adm
  sapsys:x:501:
  sdba:*:502:sqdln1,root,sdb,ln1adm
  Here's the relevant part from the /etc/passwd file:
  ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
  sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
  sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
  Any idea why PAM is not authenticating the root user correctly? Even manually firing the dbmcli
  gives the same error:
  /sapdb/programs/bin/dbmcli  -n sapln1db -R /sapdb/LN1/db db_create LN1 CONTROL,vcs12345 sqdln1,vcs12345
  ERR
  -24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
  -24994,ERR_RTE: Runtime environment error
  5,PAM authentication failed: Authentication failure
  Please help.
  Satish/

  The group and user entries are fine. I have modified the user and groups but still getting the same authentication error. I have disabled MD5 password authentication and now its just shadow. But still the problem persists.
  Please help.
  <XCMDOUT.LOG>
  ERR
  -24875,ERR_NEEDADMI: The operating system user is not a member of the database administrators group
  -24994,ERR_RTE: Runtime environment error
  5,PAM authentication failed: Authentication failure
  </XCMDOUT.LOG>
  </etc/passwd>
  ln1adm:x:500:501:SAP System Administrator:/home/ln1adm:/bin/csh
  sdb:x:501:502:Database Software Owner:/home/sdb:/bin/csh
  sqdln1:x:502:501:Owner of Database Instance LN1:/home/sqdln1:/bin/csh
  </etc/passwd>
  </etc/group>
  sapinst:x:500:ln1adm,root,sdb
  sapsys:x:501:root,sdb
  sdba:x:502:sqdln1,root,sdb
  </etc/group>

• Ldap authentication on solaris 8 client

  I have directory server 6.0 set up on solaris 9 system. I convert a Solaris 8 system to be a ldap client. However, I can use ssh to authentication against LDAP server. Here is the output I got:
  # ssh -v user@localhost
  SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
  Standard version. Does not use RSAREF.
  host: Reading configuration data /etc/ssh_config
  host: ssh_connect: getuid 0 geteuid 0 anon 0
  host: Allocated local port 1023.
  host: Connecting to 127.0.0.1 port 22.
  host: Connection established.
  host: Remote protocol version 1.5, remote software version 1.2.27
  host: Waiting for server public key.
  host: Received server public key (768 bits) and host key (1024 bits).
  host: Forcing accepting of host key for localhost.
  host: Host '127.0.0.1' is known and matches the host key.
  host: Initializing random; seed file /root/.ssh/random_seed
  host: Encryption type: idea
  host: Sent encrypted session key.
  host: Installing crc compensation attack detector.
  host: Received encrypted confirmation.
  host: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
  host: Server refused our rhosts authentication or host key.
  host: No agent.
  host: Doing password authentication.
  [email protected]'s password:
  Permission denied.
  This is the pam.conf I use:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  cron account required pam_unix_account.so.1
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  other session required pam_unix_session.so.1
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1 server_policy
  ppp auth required pam_unix_auth.so.1
  Not sure why Solaris 8 can't authentication with LDAP server. I have applied the patch 108993-67. Also, su and telnet can work with LDAP but not 'ftp' and 'ssh'.
  Any ideas?

  No, my problem seems different.
  The authentication between ldap client and server is through tls:simple. Also, exact same configuration can work with Solaris 9 client, but not Solaris 8 client. Furthur checks on ssh on Solaris 8, the ssh is 'SSH Version 1.2.27 [sparc-sun-solaris2.8], protocol version 1.5.
  Standard version. Does not use RSAREF.'. But on a Solaris 9 client, the ssh is 'SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.' Not sure why the Solaris 8 ssh can't work with ldap authentication.
  Thanks,
  --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Configure the sendmail with authentication in solaris 10

  hai
  i am very new in solaris admin i would like to know how to configure the sendmail in solaris with authentication option any one knows please share with me

  The sendmail shipped with solaris hasnt been compiled for authentication.
  So I ended up compiling my own version of cyrus-sasl and sendmail.
  There are some pointers of the sendmail.org web site.

• Authentification ldap,pam.d on solaris 11

  Hi,
  I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
  I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
  with "auth required pam_ldap

  Hi,
  Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
  Change the line that states:
  auth required    
  pam_unix_auth.so.1
  to
  auth binding      
  pam_unix_auth.so.1 server_policy
  auth required     
  pam_ldap.so.1
  Did you also checked the attributemapping for the LDAP client?
  svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
  svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
  what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
  While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
  Kind regards,
  Lambert

• Help! Authentication in Solaris 8 to start iplanet server

  Hello,
  We are using iPlanet Web Server 6.1 in Solaris 8.0 . Now
  we are stoping and starting the server using the root
  login. We could not start and stop the server using
  other login(roles, normal user, etc).
  I got permission denied error.
  Which authorization or authentication we have to assign
  to the role to start and stop the iplanet web server.
  What are the changes i have to make in the files user_attr,
  prof_attr,auth_attr,exec_attr.
  please help me,
  thanks in advance,
  balachandar.

  You may want to try the WebServer forum located at: http://softwareforum.sun.com/NASApp/jive/forum.jsp?forum=16

• Stacking Problem in pam.conf on Solaris 10 ?

  Hi all,
  I have pam.conf with enteries for
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  *other password required pam_dhkeys.so.1*
  *other password requisite pam_authtok_get.so.1*
  *other password requisite pam_authtok_check.so.1*
  *other password required pam_authtok_store.so.1*
  As per my understanding the
  (I) SPI pam_authtok_get.so.1 is used to get the user credentials from password DB.
  (II) SPI pam_authtok_check.so.1* is used to check if the new password supplied is satisfying the password policy on the OS ( by reading values from /etc/default/passwd )
  (III) SPI pam_authtok_store.so.1* is used to store the newly entered password to password db.
  Please correct me if I am wrong anywhere.
  Now I have a requirement thar an application has to be wriiten which will just check that the entered password satisfies the password policies of the OS or not, but it should not update the password DB(should not store the password)
  I make the following enteries in my pam.conf
  osPasswdCheck password required pam_dhkeys.so.1
  osPasswdCheck password requisite pam_authtok_get.so.1
  osPasswdCheck password requisite pam_authtok_check.so.1
  I removed the entry for pam_authtok_store.so.1 as I dont want to store the but when I run my application it always give error 20 authentication manipulation error.
  please refer (/usr/include/security/pam_appl.h)
  I have done all the formalities w.r.t writing a PAM Conversation funtion and the application is returning success when I add the pam_authtok_store.so.1 into the SPI
  Please anyone can help me out.Is there is anyother way with which I can use my application just to check password (w.r.t. OS policy) .
  I will be really thankful if anybody can provide me with working PAM Modules stack for achieving it.
  Thanks in advcance.
  Regards,
  Rahul.
  but I dont want to store it.

  Why not just keep the "pam_authtok_store.so.1" line in your pam.conf file and set it to a level of "requisite" or lower? I haven't tried it myself yet, but I've found that in the past when editing this file, completely removing a line rather than giving the PAM stack what it would expect to see with that line being there in some way can also cause problems.

• UNIX pam authentication dosn't work anymore for SGD 4.20-984

  In SGD 4.20 the UNIX/PAM/LDAP authentication doesn't work anymore.
  After login into tarantella "Invalid Credentials" appears.
  SGD is configured to authenticate UNIX users. In UNIX - PAM/LDAP is working properly:
  "getent passwd" shows all LDAP users and login with LDAP-Accounts via ssh is possible as well.
  Do somebody know what is wrong ?

  Hi
  thanks for the quick answer.
  Here the output of "tarantella config list |grep login":
  login-ad-base-domain: ""
  login-ad-default-domain: ""
  login-ad: 0
  login-anon: 0
  login-ens: 1
  login-ldap-url: ldap://ts2ldasv001
  login-ldap: 0
  login-mapped: 0
  login-nt-domain: ""
  login-nt: 0
  login-securid: 0
  login-theme: sco/tta/standard
  login-thirdparty-superusers: sgd_trusted_user
  login-thirdparty: 0
  login-unix-group: 0
  login-unix-user: 1
  login-web-ens: 0
  login-web-ldap-ens: 0
  login-web-ldap-profile: 0
  login-web-profile: 0
  login-web-tokenvalidity: 180
  login-web-user: ttaserv
  server-login: enabled
  We activated just UNIX users authentication.
  I also tried pwconv without sucess...

• OS Authentication in Solaris while using JDBC

  hi,
  I am trying to Authenticate a user, who is already connected to the database from a simple java class.
  Here in this case i am using Oracle 10g.
  My query is :
  Authenticate the user from the Java program without providing the password.
  The OS that i am using is Solaris.
  If anyone has ever tried the same please let me know the solution.
  Thanks in advance.
  Suresh

  Huh?
  I am trying to Authenticate a user, who is already
  connected to the database from a simple java class.If you are already connected why must you authenticate again?
  Here in this case i am using Oracle 10g.
  My query is :How is this a query?
  Authenticate the user from the Java program without
  providing the password.What magic are you hoping for that authenticates a user without a password. If you find one I think Oracle will be quite upset.
  The OS that i am using is Solaris.Why would this be pertinent to authenticating a user through JDBC?
  Your post is very difficult to understand. Perhaps you can restate the problem?

• Nt domain authentication from solaris

  Hello,
  Has anyone had any experience of authenticating application users (weblogic
  running on solaris) against NT domains ? Does weblogic have any inbuilt
  support for this ?
  thanks
  venkat

  Hi Venkat,
  I don't think you can do it. The weblogic documentation clearly says for
  WindowsNT Realm to work, the WLS must be running on a PDC/BDC.
  If you come across a breakthrough, please let me know.
  Ramesh
  "venkat" <[email protected]> wrote in message
  news:3b3f54bf$[email protected]..
  Hello,
  Has anyone had any experience of authenticating application users(weblogic
  running on solaris) against NT domains ? Does weblogic have any inbuilt
  support for this ?
  thanks
  venkat