Pam_ldap and nss_ldap
hello !
i made and put two packages in incoming: pam_ldap and nss_ldap
LDAP authentication is now possible with Arch !
Comete
# Contributor: Comete <[email protected]>
pkgname=pam_ldap
pkgver=167
pkgrel=1
pkgdesc="The pam_ldap module provides the means for Solaris and Linux workstations to authenticate against LDAP directories, and to change
their passwords in the directory."
url="http://www.padl.com/OSS/pam_ldap.html"
depends=('pam')
makedepends=('pam')
conflicts=()
replaces=()
backup=('/etc/pam_ldap.conf')
install=
source=(http://www.padl.com/download/$pkgname.tgz)
md5sums=()
build() {
cd $startdir/src/$pkgname-$pkgver
./configure
--libdir=/lib
--with-ldap-conf-file=/etc/pam_ldap.conf
make || return 1
make prefix=$startdir/pkg/usr install
md5sums=('05bc1ae27087583e20d948659c6b0d61')
# Contributor: Comete <[email protected]>
pkgname=nss_ldap
pkgver=212
pkgrel=1
pkgdesc="The nss_ldap module provides the means for Linux and Solaris workstations to resolve the entities defined in RFC 2307 from LDAP d
irectories."
url="http://www.padl.com/OSS/nss_ldap.html"
depends=('pam')
makedepends=('pam')
conflicts=()
replaces=()
backup=('/etc/libnss-ldap.conf')
install=
source=(http://www.padl.com/download/$pkgname.tgz)
md5sums=()
build() {
cd $startdir/src/$pkgname-$pkgver
./configure
--with-ldap-conf-file=/etc/libnss-ldap.conf
--with-ldap=openldap
--libdir=/lib
--enable-schema-mapping
--enable-rfc2307bis
make || return 1
make prefix=$startdir/pkg/usr install
md5sums=('707869f5bde25145d29f84f7ff591d9f')
Also make sure to start nscd on bootup. Otherwise your LDAP server will get many queries. A simple ls -la in your homedirectory will generate a query for each file in it.
Also, if you don't run nscd, pacman will segfault on synching packagelists, because it's statical linked to NSS.
Similar Messages
-
Solaris 8, pam_ldap and SSL/TLS
Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commandsHas anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commands -
Solaris pam_ldap and passwordless logins
Dear all,
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
states:
After you enable pam_ldap account management, all users must provide a password any time they log in to the system. A login password is required for authentication. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh will fail.
Can somebody confirm that this is really true?
Background:
We are using shosts.equiv, which worked fine with NIS. Now we switched to LDAP and everything works fine -- except passwordless logins. Password-based logins work fine. But passwordless (publickey or shosts) gives this message in /var/adm/messages:
sshd[9023]: [ID 778364 auth.warning] libsldap: server xx.xx.xx.xx does not provide account information without passwordDoes anybody see a chance of getting passwordless logins with pam_ldap to work at all?
Cheers,
JanI don't know if LPK (LDAP Public Key) helps, pls try and let us know.
http://www.opendarwin.org/en/projects/openssh-lpk/
(google "ldap public key")
Gary -
Issue with pam_ldap and referrals
I'm currently running into a problem where pam_ldap is complaining about a bad referral when trying to make password changes. Here the debug output from /var/adm/messages
Jun 10 18:25:53 ldapclnt passwd[761]: [ID 545954 user.error] libsldap: Invalid or non-LDAP URL when processing referrals URL: ldap://sea-d-ldap1.xypoint.com:389
Jun 10 18:25:53 ldapclnt passwd[761]: [ID 293258 user.error] libsldap: Status: 0 Mesg: Internal write State machine exit (state = 14, rc = 0).
Currently we are set up with Directory Server 5 packaged with Solaris 9. We have a multi-master setup with 2 machines being masters and one machine being consumers. The ldap_pam is setup so that it will follow referrals and will use the consumer ldap as it's primary authentication store.
I'm a bit suspicious of the ldap URL's that are getting returned from the server as doing an LDAP modify doesn't work either. When doing ldapmodify -v -R here is what I get returned.
bash-2.05$ ./ldapmodify -v -R -D "cn=Directory Manager" -w password
ldapmodify: started Wed Jun 11 10:50:46 2003
ldap_init( localhost, 389 )
dn: uid=nada,ou=people,dc=operations,dc=xypoint,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /var/tmp
ldapmodify: value: /var/tmp vlen: 8
ldapmodify: ldaptool_berval_from_ldif_value: value: /var/tmp
replace homeDirectory:
/var/tmp
modifying entry uid=nada,ou=people,dc=operations,dc=xypoint,dc=com
ldap_modify: Referral received
ldap_modify: matched: dc=operations,dc=xypoint,dc=com
Referral: ldap://sea-d-ldap1.xypoint.com:389
I thought that LDAP urls needed to be post pended with a '/', but I could be wrong....
At any rate if there is any news on this issue or some configuration parameters I should try, please let me know.I have exactly the same problem and have raised an SR with Oracle. I suspect you can override this behaviour if you could somehow populate Organization Name during reconciliation with a value other than than the default, updating /db/LDAPUser for the required mapping. Unfortunately in my case to do this I would need to run some code to get the required Organization Name, which I had hoped I could call via a custom Transformation, but I cannot get Transformation code to run in this instance.
The other option, which does not seem so ideal to me, would be to have a post process event handler which, if it still has access to the required data, could move users back from the default organization, but it is not great as it means every time you run a full reconciliation many users would be updated twice, to move them to the default then back to their proper organization.
For now I have proposed a manual workaround where before a full reconciliation is run (manually only) I extract from the database a list of all user's organizations, then replay this back to the database after reconciliation to put everyone back where they should be. -
Pam_ldap / nss_ldap questions okay here?
Hello.
I've got some problems with the Sun pam_ldap and nss_ldap "bits" on Solaris 9 and 10. LDAP server is a OpenLDAP server.
Are questions reg. this okay here?
Thanks,
AlexanderI take that to be a "yes"? :)
Allright, I'll post my question in a new thread.
Thanks,
Alexander -
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
hi..
I would like to make a network with a lot of computers, thats has a mainserver with all the /homes in.. When people lock in on the clients, they should have their username and passwd. And when there loggod in, their /home from the server should be the home on the client also...
I have noticed a lot´og questions about that, bat their also old question.. As I´m thinking - there must be some update s on that since 02? So just a question ?? Wich packages do I nedd to have installed today if I want this to work ????
THXI got that one now....
But the meaning was that the users only should have access to their own home - not all!!! And on the client they should put in username and passwd and have that validate on a ldapserver ??? I got the LDAP running, but can´t get the klient to show the users on ldap ? So am i missing something..
I have configurated pam_ldap.conf & nss_ldap.conf(its an example i can see) but can´t see the client... So whar am i doing wrong or missing. -
After jumpstart host doesn't prompt for root password
Hiya gang,
I am migrating my jumpstart functionality to a new server and while it would appear that 100% of things are identical on both (as far as my /jumpstart tree is concerned), when I jumpstart a host (V240, in this case, but I've seen it on a SunBlade 150 too) everything appears to go well, but after the host reboots at the very end and I attempt to log in on console as root I am not even prompted for a password.
I've booted to single user over the net and on the disk that was just jumpstarted I see what would appear to be a normal Solaris system. There are no indications that I can find of why it wouldn't prompt for password at all, and I'm not well enough versed with the way the login functionality works to know why this is.
My new jumpstart server is running Solaris 10 (08/07), and I'm trying to jump a host with the same version. The very same jumpstart using my old jumpstart server works just fine.
Thanks in advance,
pbDarren,
Thanks for your reply. It got me in the right frame of mind for troubleshooting :)
I set up pam debugging for pam_ldap and got the following messages in /var/adm/messages:
Aug 29 10:13:46 testfoo login: [ID 293258 auth.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Aug 29 10:13:46 testfoo login: [ID 562097 auth.alert] open_module: Owner of the module /usr/lib/security/pam_mkhomedir.so is not root
Aug 29 10:13:46 testfoo login: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_mkhomedir.so
Aug 29 10:13:46 testfoo svc.startd[7]: [ID 694882 daemon.notice] instance svc:/system/console-login:default exited with status 1
Aug 29 10:56:51 testfoo su[3209]: [ID 105162 auth.alert] open_pam_conf: Owner of /etc/pam.conf is not root
Aug 29 10:57:49 testfoo login[1225]: [ID 105162 auth.alert] open_pam_conf: Owner of /etc/pam.conf is not root
...so, I checked them out and /etc/pam.conf and /usr/lib/security/pam_mkhomedir.so are both owned nobody:nobody, which smelled like an NFS issue since both of those files are copied over to the hosts as part of a JASS_FILES variable, but during the finish script execution (they're copied by install-templates.fin). So, I did some digging there and found another Sun forum thread that had info on it:
http://forums.sun.com/thread.jspa?forumID=841&threadID=5100999
...so I made the requisite change to /etc/default/nfs (setting the max version to 3) and the next jumpstart I tested worked perfectly, password prompt and all. All files that were previously owned nobody:nobody had the correct ownership this time around.
Crazy!
Thanks again Darren for your input! -
Dbus hanging at startup, nss_ldap and pam_ldap to blame?
https://bbs.archlinux.org/viewtopic.php?id=104114
This post is about the same problem I'm having, but I don't really like the solution. I'm running an arch box that is authenticating users through and Windows domain using ldap and kerberos, I know I can remove pam_ldap without any issue since the pam part of the setup is only using kerberos, but I don't think I can remove nss_ldap without breaking authentication. Does anyone else have a work around? I'm going to try removing the one once I get back into the box with a arch boot disk, and I'll update if that goes well.https://bbs.archlinux.org/viewtopic.php?id=104114
This post is about the same problem I'm having, but I don't really like the solution. I'm running an arch box that is authenticating users through and Windows domain using ldap and kerberos, I know I can remove pam_ldap without any issue since the pam part of the setup is only using kerberos, but I don't think I can remove nss_ldap without breaking authentication. Does anyone else have a work around? I'm going to try removing the one once I get back into the box with a arch boot disk, and I'll update if that goes well. -
/etc/pam_ldap.conf, /etc/nss_ldap.conf ?? Help!
I've never thought I'll ever say that, but...
I decided to switch my faculty's workstations from Gentoo to Arch. It seemed to be a good idea until I started to configure LDAP client configuration. Under Gentoo it seems to be much more _easier_... :-(
Instead of a single file there are : /etc/pam_ldap.conf and /etc/nss_ldap.conf . I'm trying to figure out the difference between the first two ones. They differ... slightly. I wonder what'd happen if I deleted one of them and created just a symlink? If there are two files there should be some reason for this. I cannot guess: what reason -- I can't find any...Thanks for any clarification.
Last edited by quayasil (2011-08-22 08:07:54)I sincerely doubt that. You can change the way you're authenticating yourself to SSH but that doesn't automaticly imply that you would also need to change the way SSH checks this authentication with the system.
Besides; just take another carefull look at the sshd_config file; you'll see that RSA authentication is enabled by default but disabled in Solaris 10. Simply change the option and... Also keep in mind that RSAAuthentication applies to protocol 1, and I'm not too sure that you'd want to fully focus on that. -
JSDS 6.2 and Solaris 10 UNIX Accounts (simple,proxy)
Hi,
I just got my Solaris10 server-client setup working. Here's some items that may be useful to you: All I'm using LDAP for at this point is user authentication to include home directory management from the server ( NFS share and auto_fs setup in LDAP and on the client )
My server is JSDS 6.2 ( at least, that's what Sun's Download Center id'd it as. Here's output of DBVERSION file:
cat /var/opt/SUNWdsee/dsins1/db/DBVERSION
Sun-ldbm/6.0(64-bit) SunOS 5.10 sparc
ASSUMPTIONS: You have the LDAP server installed and running and you are ready to run /usr/lib/ldap/idsconfig
Both systems patched to latest Recommended cluster and patches shown at JSDS download site. Also, make sure CRYPT is selected during idsconfig.
myserver: UE450
(myserver-root: /:225)-> showrev
Hostname: myserver
Hostid: 1234567890
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: example.com
Kernel version: SunOS 5.10 Generic_127111-01
myclient: SF V445
(myclient-root: /:130)-> showrev
Hostname: myclient
Hostid: 1234567890
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: example.com
Kernel version: SunOS 5.10 Generic_127111-01
ON CLIENT:
ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com
-a profileName=myprofile my.svr.ip.addr:port (port if not 389)
I was not fully qualifying proxyDN and this caused authentication failures. ( do not run ldapclient init until the following are done first )
ON CLIENT: I edited stock pam.conf and made sure only atries active were those id'd in Sun's doc. Also, I made sure I followed same order in each section as compared to Sun's doc.
pam.conf ( from Sun's JSDS Admin guide ) on LDAP client:
(*ldap-client*-root: /var/tmp:213)-> cat /etc/pam.conf
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
#login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
#rlogin auth required pam_unix_auth.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
#ppp auth required pam_unix_cred.so.1
#ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
#other auth required pam_unix_auth.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
#passwd auth required pam_passwd_auth.so.1
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
#other account required pam_unix_account.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
#other password required pam_authtok_store.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
ON CLIENT: Sun's nsswitch.ldap files that get's activated after running lapclient init has LDAP take over everything. I use a trimmed-down nsswitch.conf with very few ldap entries.
nsswitch.conf on LDAP client
(*ldap-client*-root: /var/tmp:215)-> cat /etc/nsswitch.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.not using LDAP for hosts
hosts: files dns
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files ldap
aliases: files
# for efficient getservbyname() avoid ldap
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
ON CLIENT:
contents of /var/ldap files on client: notice fully qualified NS_LDAP_BINDDN - it me quite some time to understand that this had to be fully qualified or I would continue to get those "Error: Unable to update from profile" in /var/ldap/cachemgr.log and "openConnection: simple bind failed - No such object" in /var/adm/messages error messages.
(*ldap-client*-root: /var/ldap:218)-> cat ldap*
# Do not edit this file manually; your changes will be lost.Please use ldapclien
t (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=pacmh,dc=us,dc=eds,dc=com
NS_LDAP_BINDPASSWD= (removed)
# Do not edit this file manually; your changes will be lost.Please use ldapclien
t (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= my.svr.ip.addr:port (port if not 389)
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= my.svr.ip.addr:port (port if not 389)NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= myprofile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 15
ON SERVER
After running /usr/lib/ldap/idsconfig, I had to create VLV indexes with this command ( after idsconfig runs, it says to use directoryserver command, which does not exist in JSDS 6.2)
/opt/SUNWdsee/ds6/bin/dsconf create-index -h myserver -p nnnn ( port if not 389 ) dc=example,dc=com getgrent gethostent [....]
enter space-separated list of all VLV indexes idsconfig said to add after you ran idsconfig
ON CLIENT:
If you need to clear client init: ldapclient uninit ( if you get errors, check if ldap_cachemgr is running; if it is, kill -9 it, clear /var/ldap directory, make sure nsswitch.conf is not pointing to ldap stuff -- cp /etc/nsswitch.files /etc/nsswitch.conf
Initialize ldapclient:
ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com
-a profileName=myprofile my.svr.ip.addr:port (port if not 389)
If this still does not work, clean up client again as before and reboot it. I had some issues w/Sun's nsswitch.conf file for LDAP taking over my client machine and rendering it useless until I rebooted it with files-settings in nsswitch.conf, making my own nsswitch.ldap file it /etc so Sun's LDAP-happy nsswitch file would not be used, and then running ldapclient init.
ON CLIENT
cp /etc/passwd /var/tmp/passwd.ldif ( same for group, shadow, auto_home, auto_master )
Edit each ldif file and remove all entries other than regular user accounts and nobody/noaccess accounts
passwd.ldif should look something like this:
johndoe:x:146:14:John Doe:/home/johndoe:/bin/ksh
janedoe:x:145:14:Jane Doe:/home/janedoe:/bin/ksh
nobody:x:60001:60001:NFS Anonymous Access User:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
For auto_home, make sure each entry starts w/home-dir server's ip-addr: it'll look something like this:
janedoe 10.10.20.50:/export/home/janedoe
johndoe 10.10.20.50:/export/home/johndoe
ldapaddent -D "cn=Directory Manager" -w <password> -f /var/tmp/passwd.ldif passwd
.... group.ldif group NOTE order is important: passwd,
.... shadow.ldif shadow group, shadow
.... auto_home.ldif auto_home
.... auto_master.ldif auto_master
ON CLIENT
/etc/auto_master
+auto_master
/etc/auto_home
+auto_home
enable these NFS daemons: ( ie. svcadm enable network/nfs/status )
online 9:06:26 svc:/network/nfs/status:default
online 9:06:27 svc:/network/nfs/nlockmgr:default
online 13:09:41 svc:/network/nfs/cbd:default
online 13:09:41 svc:/network/nfs/mapid:default
online 13:09:41 svc:/network/nfs/client:default
enable auto_fs
online 13:37:42 svc:/system/filesystem/autofs:default
ON SERVER
enable these NFS daemons:
online 16:36:16 svc:/network/nfs/cbd:default
online 16:36:16 svc:/network/nfs/status:default
online 16:36:17 svc:/network/nfs/mapid:default
online 16:36:17 svc:/network/nfs/nlockmgr:default
online 16:36:22 svc:/network/nfs/rquota:default
online 16:36:22 svc:/network/nfs/client:default
online 16:36:23 svc:/network/nfs/server:default
ON HOME DIRECTORY SERVER
export home dirs
(home-dir-svr-root: /var/tmp:221)-> cat /etc/dfs/dfstab
# Place share(1M) commands here for automatic execution
# on entering init state 3.
# Issue the command 'svcadm enable network/nfs/server' to
# run the NFS daemon processes and the share commands, after adding
# the very first entry to this file.
# share [-F fstype] [ -o options] [-d "<text>"] <pathname> [resource]
# .e.g,
share -F nfs -o rw -d "home dirs" /export/home
shareall
enable auto_fs
online 13:37:42 svc:/system/filesystem/autofs:default
ON LDAP SERVER via the GUI ( not sure how to do this via command-line and since I have a JAVA GUI, I'm not going to knock myself out on the command-line trying to do something it'l take 15 seconds to do from the GUI -- command-line purists, feel free to contribute command to do this:
From GUI, go into your DS instance: --> entry Management --> automountMapName=auto_home --> automountinformation: 144.10.199.220:/export/home/janedoe
Verify home-dir-svr IP and home dir info are correct.
log on as user from ldap-client
NOTE: I did not alter any UNIX system files ( nsswitch.conf, pam.conf, passwd, auto_home, and the like) on LDAP server.
Not sure if I missed anything, but hope this helps.
John
Edited by: No_Windoze on Nov 14, 2007 4:16 PMJust remembered something that is very subtle during idsconfig:
At one point durint idsconfig, there's a questions about storing passwords in unix CRYPT format. You must answer yes to that question or none of this will work. The default answer is no.
John
Hi munnik,
I had the same errors initially. I didn't write down what I did to clear them (oops!) but I think what I did to 'fix' this was I restarted/rebooted (can't remember which) the directory server to clear the error and then, from the client and in this order - passwd, group, shadow - I readded ldifs.
If you're still having issues with DS, make sure the VLV index step discussed above was done, nothing missed, no errors - redo if necessary: uninit client(s), reinit client(s) with new profile created as a result of running idsconfig to recreate VLV indexes - it'll skip any VLV indexes that are in the server and display a message to that effect. It's a reather brute-force method of doing things, but I couldn't locate much in the way of troubleshooting user account creation issues.
When I add a new user, here's what I do: add user to server where home dirs are and create a set of passwd, shadow, and auto_home ldif files with just the new user info and run ldapaddent. Then I add them to group (if necessary) with direct edit on ldap server.
HTH
John
(aka NoWindoze)
indexes and VLV Indexes 'created' when I ran idsconfig:
uidNumber (eq,pres) skipped already exists
ipNetworkNumber (eq,pres) skipped already exists
gidnumber (eq,pres) skipped already exists
oncrpcnumber (eq,pres) skipped already exists
automountKey (eq,pres) skipped already exists
VLV-indexes:
getgrent vlv_index skipped already exists
gethostent vlv_index skipped already exists
getnetent vlv_index skipped already exists
getpwent vlv_index skipped already exists
getrpcent vlv_index skipped already exists
getspent vlv_index skipped already exists
getauhoent vlv_index skipped already exists
getsoluent vlv_index skipped already exists
getauduent vlv_index skipped already exists
getauthent vlv_index skipped already exists
getexecent vlv_index skipped already exists
getprofent vlv_index skipped already exists
getmailent vlv_index skipped already exists
getbootent vlv_index skipped already exists
getethent vlv_index skipped already exists
getngrpent vlv_index skipped already exists
getipnent vlv_index skipped already exists
getmaskent vlv_index skipped already exists
getprent vlv_index skipped already exists
getip4ent vlv_index skipped already exists
getip6ent vlv_index skipped already exists
You can see indexes defined in your server with this command:
dsconf list-indexes -h ldap.server.host.name-or.ip -p 389
Edited by: SolarisSAinPA on Nov 30, 2007 1:05 PM
Edited by: SolarisSAinPA on Nov 30, 2007 1:40 PM -
Nsswitch doesn't run PADL's nss_ldap.so
Hi, all!
I've really broken my brain.
I've successfully compiled PADL's nss_ldap-253 with openldap-2.3.21 and openssl-0.9.7i. All linked static.
/etc/nsswitch.conf reads "passwd: files ldap". nss_ldap.so copied to /usr/lib/nss_ldap.so.1.
When I run `getent passwd` it displays content of /etc/passwd only and exits with code 0. truss shows that it opens /usr/lib/nss_ldap.so.1. But it doesn't run any functions, even nssldap_passwd_constr().
I've downloaded ready-to-use nss_ldap.so.1 from www.symas.com and it works fine. It frustrates and encourages me. I cannot understand what is wrong with my job?
I have Sun Fire V240, Solaris 9 9/05, GCC 3.4.2.
openssl-0.9.7i:
# ./config no-hw threads
# make ; make install
openldap-2.3.21:
# ./configure disable-ipv6 disable-slapd disable-slurpd disable-shared --without-cyrus-sasl \
--with-tls CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib
# make depend ; make ; make install
nss_ldap-253:
# CPPFLAGS=-I/usr/local/ssl/include LDFLAGS=-L/usr/local/ssl/lib LIBS="-lssl -lcrypto" \
./configure with-ldap-dir=/usr/local with-ldap-lib=openldap --enable-rfc2307bis \
with-ldap-conf-file=/etc/ldap.conf with-ldap-secret-file=/etc/ldap.secret
# LDADD=-L/usr/local/ssl/lib make
# cp nss_ldap.so /usr/lib/nss_ldap.so.1
# ln -s /etc/ldap.conf /usr/local/etc/openldap/ldap.confGCC 3.4.2 was the matter. GCC 3.3.2 works fine.
-
Sgd + ldap auth + ssh and numeric usernames
Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
ex.
the user loggs in to SGD with the username 173651
when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
thanks for any answers and hints.Sorry, but you missunderstood my question a bit :-)
What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
We want this to be done automaticly for us.
First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this) -
Solaris 10 and LDAP Authentication
Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automountYou may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary -
Solaris 10 with PAM, OpenSSH and OpenLDAP
Hi all,
Due to the mix of Linux and Solaris machines, we decided to do OpenLdap and OpenSSH on the Solaris machines as well. All works fine on the Linux machines, but we cannot get PAM authentification to work on the Solaris machines. I have a user in the ldap database esawyja, when the user su esawyja, it works, but the user cannot ssh into the server.
test5:/ $ su esawyja
test5:/ $ whoami
esawyja
test5:/ $ exit
exit
test5:/ $ whoami
root
test5:/ $
test5:/ $ ssh -v [email protected]
OpenSSH_5.8p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to 10.1.1.5 [10.1.1.5] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 1b:42:5b:37:e4:86:99:e1:af:81:bc:64:c8:68:a6:98
debug1: Host '10.1.1.5' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Trying private key: /.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
from the debug parameter on the pam_ldap.so.1 in /etc/pam.conf, see below, I get the error pam_ldap: no legal authentication method configured
from /etc/pam.conf
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_unix_cred.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1 debug
Feb 17 14:48:19 test5.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd root), flags = 1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 800047 auth.info] Failed password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:48:42 test5.company.com sshd[11349]: [ID 800047 auth.info] Accepted password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:54:59 test5.company.com su: [ID 366847 auth.info] 'su esawyja' succeeded for root on /dev/pts/10
Feb 17 14:55:32 test5.company.com sshd[8939]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:55:36 test5.company.com sshd[11600]: [ID 800047 auth.error] error: PAM: Authentication failed for esawyja from 10.1.1.5
Feb 17 14:55:58 test5.company.com sshd[9612]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
In the slapd logfile I get this
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 384072 local4.debug] => access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 923158 local4.debug] => access_allowed: read access to "uid=esawyja,ou=People,dc=company,dc=com" "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [1]
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [2] cn=subschema
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 134411 local4.debug] => acl_get: [3] attr userPassword
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 105589 local4.debug] => slap_access_allowed: result not in cache (userPassword)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=esawyja,ou=People,dc=company,dc=com", attr "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 488679 local4.debug] => acl_mask: to value by "", (=0)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: self
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: *
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 279303 local4.debug] <= acl_mask: [2] applying auth(=xd) (stop)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 804284 local4.debug] <= acl_mask: [2] mask: auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access denied by auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 127828 local4.debug] => access_allowed: no more rules
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 572208 local4.debug] send_search_entry: conn 437 access to attribute userPassword, value #0 not allowed
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 823432 local4.debug] AND
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 679408 local4.debug] begin get_filter_list
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 694368 local4.debug] EQUALITY
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 274773 local4.debug] end get_filter 0
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
The user looks like this in the ldap database
test5:/var/log $ ldaplist -l passwd esawyja
dn: uid=esawyja,ou=People,dc=company,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: xxxxxxxxxxxxxxxxxxxxx
uid: esawyja
loginShell: /usr/bin/bash
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/admin/esawyja
shadowLastChange: 12193
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowInactive: 1
shadowExpire: 12999
gecos: Wynand
test5:/var/log $
PLEASE I need help, been at this for the last week and I'm out of ideas
ThanksI am not using OpenLDAP as a backend myself, I am using Sun/Oracle directory server. Initially this was version 5, and I have since upgraded to a mix of DS 6 and DS 7.
With Sun DS, you run the idsconfig command (/usr/lib/ldap/idsconfig) which helps configure the server with things like a client profile and appropriate access permissions (e.g compare password). it will also help configure a proxy account. Sun LDAP clients should NOT need a proxy account. Linux clients would need the proxy account.
Maybe you are looking for
-
Every time i try to send a text from my iphone 4 it cloes out and goes back to the home screen. why?
So i go to send a text and when i hit send it closes everything and goes back to the home scren. i have restarted it and reset it but nothing works.
-
Where can I get an adapter to allow plugging in a Shuffle to an Ipod dock?
Where can I get an adapter to allow plugging in a Shuffle to an Ipod dock?
-
64 Bit XML libraries for Sun Solaris
Will the libxml8.a and libxmlc8.a libraries be included in the 8.1.7 (64) release for Sun Solaris?
-
Mac mini shut down with USB and USB Over Current Notice
I just spent the day dealing with my mini shutting down when I connected my iphone. If I left it connected at restart, I got the infamous USB Over Current Notice. I tried all suggestions and finally used an apple connector instead of the one I had
-
Why has my Sony XR520 stopped connecting to Final Cut Express
The Sony XR520 used in the office mounts on the Mac Pro with FCX, but the software fails to see it. the upshot is I can't log and transfer from the camera