Problem on Solaris 10 Native ldap client.

Similar Messages

• Solaris 7 ldap client

  Hello,
  Does anyone have advise for a solaris 7 ldap client? Is openldap/nss_ldap pretty much the standard? After comile & installation, editing /etc/nsswitch.conf & ldap.conf, what else needs to be done?
  thanks

  It is advisable to upgrade to Solaris8 + lastest Kernel and LDAPv2 patches, uninstall OpenLDAP Client Libraries and just use the SUN supported Solaris Native LDAP Client Libraries.
  Assuming "idsconfig" has been run at the DS5.2 server end, to create the profiles and agent data, after that "ldapclient" should be run also at all ldap clients, it will setup /etc/nsswitch.conf, however you may need to adjust the "hosts: files ldap" to "hosts: files dns".
  If you intend to use pam_ldap, lookup docs.sun.com for a recommended /etc/pam.conf
  You may follow http://web.singnet.com.sg/~garyttt/
  Gary

• Native ldap client doesn't work with an openldap Server : No root DSE data

  Hello!
  My configuration :
  - an openldap 2.2.23 server (linux debian) (server name = serv_annu)
  - a ldap client (solaris 10) (server name = client_annu)
  I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
  I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
  FROM CLIENT_ANNU:
  +# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
  version: 1
  dn: dc=mydomain,dc=fr
  dc: mydomain
  objectClass: top
  objectClass: dcObject
  objectClass: organization
  objectClass: nisDomainObject
  nisDomain: mydomain.fr
  o: mydomain
  LOG FROM SERVER_ANNU:
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
  Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
  1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
  2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
  3) I Add ACL in slapd.conf to allow reading of rootDSE.
  access to dn.base="" by ssf=128 * read
  4) I launch on my solaris client
  crle -u -s /usr/lib/mps
  crle -64 -u -s /usr/lib/mps/64
  5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
  +# ldapclient list+
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
  +NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
  NS_LDAP_SERVERS= server_annu
  NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_CREDENTIAL_LEVEL= anonymous
  NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
  Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
  FROM CLIENT_ANNU:
  svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
  +/etc/init.d/nscd stop;/etc/init.d/nscd start+
  LOG FROM SERVER_ANNU:
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
  Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
  Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
  FROM CLIENT ANNU :
  +# /usr/lib/ldap/ldap_cachemgr -g+
  cachemgr configuration:
  server debug level 0
  server log file "/var/ldap/cachemgr.log"
  number of calls to ldapcachemgr 2
  cachemgr cache data statistics:
  Configuration refresh information:
  Previous refresh time: 2008/04/02 09:58:12
  Next refresh time: 2008/04/02 21:58:12
  Server information:
  Previous refresh time: 2008/04/02 09:58:32
  Next refresh time: 2008/04/02 09:58:33
  server: server_annu, status: ERROR
  error message: No root DSE data returned.*
  Cache data information:
  Maximum cache entries: 256
  Number of cache entries: 0
  My problem is why I get the following error message : No root DSE data returned.
  Thanks in advance for your help!

  Hi
  Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
  Regards,
  Ludovic.

• Solaris 9 LDAP client sun_ssh public key authentication

  I have directory server 6.0 up on solaris 9 system and I have a couple of solaris 9 system migrated to LDAP client. I need to configure ssh public key authentication on two Solaris 9 LDAP clients. However, I seem can't make it working. I have done 1) generate rsa public/private key pairs on one host 2) cat public key to the authorized_keys file on another host. I checked the permission on $HOME and $HOME/.ssh, they both set to 700. The file permission are also correct. But I still get prompt when ssh from one LDAP client to another. If I add my password/shadow entry back to local files, then public key authentication works. My /etc/pam.conf is set up according to the Sun documentation for LDAP client. In /etc/nsswitch.conf
  passwd: compat
  passwd_compat: ldap
  shadow: files ldap
  group: files ldap
  netgroup: ldap
  loginShell does exist for the user.and LDAP entry has objectClasses 'posixAccount' and 'shadowAccount'
  I have latest patch 112960 installed on all of LDAP clients.
  What am I missing here?
  Thanks,
  --xinhuan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  One more thing - I have latest patch 112960 installed on all of LDAP clients.
  --xinhuan                                                                                                                                                                               

• Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0?  I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

  I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

  Hi,
  While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

• Solaris 10 LDAP Client: libsldap: Status: 4

  Hi everybody.
  I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
  What I have done is changed the value:
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
  Where <hostname> is the respective hostname.
  After that, everything works as I expect, but I get a lot of these messages:
  sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
  Should I ignore the messages? This is the nsswitch.conf file:
  /etc/nsswitch.conf
  # Copyright 2006 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
  # /etc/nsswitch.files:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # does not use any naming service.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  passwd: files ldap
  group: files ldap
  hosts: cluster files dns
  ipnodes: files dns
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: cluster files
  bootparams: files
  publickey: files
  netgroup: files
  automount: files
  aliases: files
  services: files
  printers: user files
  auth_attr: files
  prof_attr: files
  project: files
  tnrhtp: files
  tnrhdb: files
  user_attr: files
  I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
  Any suggestions?

  What would I do without google?
  http://prefetch.net/blog/index.php/2005/01/
  I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
  Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
  descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
  We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
  NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
  NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
  Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

• Solaris 7 ldap client setup

  Hi,
  Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
  Thanking you,
  Naren

  hi mukherjee,
  you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
  No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
  PATEL

• Solaris 10 - ldap client - tls/ssl - password change

  we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
  passwd -r user1
  passwd: Changing password for user1
  passwd: Sorry, wrong passwd
  Permission denied
  where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
  any ideas will be highly appreciated.

  Not that it helps any but I am getting his same error. I am also using 6.3.1

• Has anyone set up a Solaris 8 LDAP client to use with iPlanet DS 5.0?  I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

  help with client
  error on ldap_client_file
  ldap_client_cred

  Hi,
  Yes it can be done provided U've given proper information during configuring.The sun machine which is to be used as a client should be installed as a ldap client "at the time of installation ldap client option should be chosen.

• Solaris 10 LDAP Clients Intermittently Fail

  I'm working on a rather puzzling issue with some of our Solaris 10 systems authenticating against DSEE 6.3. These clients previously worked without issue but starting last week SSH connections would hang for a few minutes and then start working again. This never happened on more than one system at a time.
  I found the following messages in /var/adm/messages during the time we have these problems:
  Apr 27 08:04:57 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:05:47 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  ... many of these
  Apr 27 08:10:07 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:10:17 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
  Apr 27 08:10:31 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (81): Can't contact LDAP server.
  To test connectivity to the LDAP server I have a ldapsearch running every 15 seconds an logging the time it took and checking for correct results. during the time that I see the libsldap messages and ssh connections are hanging, the ldapsearch command continues to run fine without slowing down.
  A final note is that all three of the problem systems are on the same subnet and systems outside of this subnet aren't having any problems with the same configuration. My first thought was the firewall but ldapsearch continues to work.
  Does anyone know if nscd tries to keep the LDAP connection open. Looking at the logged messages it appears as though it gives up after 5 minutes or so, throws the LDAP ERROR (81) and then starts to work again.
  Any ideas would be appreciated. This one is making me crazy (crazier).
  Thanks.

  rukbat wrote:
  Has anything changed in that time frame?
  Any physical changes such as office-moves? new hires? lay-offs?
  Could there have been any modifications to the networking hardware such as lengthening the cabling? Is it possible to re-route the subnet to different switches or to different posts on the switches? You might consider snooping the traffic to watch how it traverses the paths to the LDAP server.
  If there are other systems on the subnet, do they experience any sort of timeouts ( even if it is to unrelated tasks such as database access or surfing to the Intranet/Internet ) ?
  ... just random thoughts from a hardware perspective.Given that this started after a maintenance night I'm sure you are correct and something changed. However there are no changes in the maintenance plan that could cause this and nobody will own up to any additional changes. This leaves it to me to try to find what is causing the failure so I can get it corrected.
  These are the only three Unix systems on that subnet and they are all experiencing the problem so I don't have anything that is working to compare them to except for the other systems that aren't on that subnet. The other systems are working fine with the same configuration. That's why I'm thinking that it is something external to the problem systems.
  Given that all other services on these systems are working, I'm not currently exploring a hardware type failure.
  I've been running pfiles on nscd and it appears that it is indeed holding a connection to the LDAP server open (if I'm reading it correctly). The inode assocated with #8 hasn't changed. So my current theory is that maybe the firewall is killing off long connections after a while. This appears to be consistent with the log entries where I get many ERROR (85) and then a final (81). I'm thinking that after the ERROR 81, it re-opens the connection. Just guesses though.
  8: S_IFSOCK mode:0666 dev:329,0 ino:3753 uid:0 gid:0 size:0
  O_RDWR|O_NONBLOCK
  SOCK_STREAM
  SO_SNDBUF(49152),SO_RCVBUF(49680),IP_NEXTHOP(0.0.194.16)
  sockname: AF_INET6 ::ffff:10.1.50.50 port: 42758
  peername: AF_INET6 ::ffff:10.1.52.25 port: *636*

• Solaris 10 LDAP Client to 389 DS(Linux)

  Hey guys,
  I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
  When I - su Username the system responds prompting for password then returns su: Uknown id: Username
  When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
  Here is my pam.conf file -
  #ident "@(#)pam.conf 1.31 07/12/07 SMI"
  # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_dial_auth.so.1
  login   auth required           pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth required pam_unix_auth.so.1
  # Kerberized rlogin service
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  # Kerberized rsh service
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  # Kerberized telnet service
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  ppp auth required pam_dial_auth.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth sufficient pam_unix_auth.so.1
  other   auth required           pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth sufficient pam_passwd_auth.so.1
  passwd  auth required           pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other   account sufficient      pam_ldap.so.1
  other account requisite pam_roles.so.1
  other account required pam_unix_account.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
  Thanks,
  Ted

  CN,
  I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
  # more /etc/pam.conf
  #ident "@(#)pam.conf 1.31 07/12/07 SMI"
  # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  # Kerberized rlogin service
  krlogin auth required pam_unix_cred.so.1
  krlogin auth required pam_krb5.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  # Kerberized rsh service
  krsh auth required pam_unix_cred.so.1
  krsh auth required pam_krb5.so.1
  # Kerberized telnet service
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth required pam_krb5.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1 server_policy
  other account required pam_ldap.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1 force_check
  other password required pam_authtok_store.so.1 server_policy
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
  Thanks,
  Ted

• Solaris 10 Ldap Client user authentication against edirectory

  Hello,
  We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
  I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
  Thanks
  ukgreenman

  I have a similar question.
  Did you have a solution ?
  thanks

• Solaris ldap client problem (tls:simple + anonymous)

  Hi All,
  I've installed Directory Server 6.3.1 and it works just fine,
  but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
  Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
  More detail.
  Profile:
  dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
  authenticationmethod: tls:simple
  bindtimelimit: 10
  cn: sslnoproxyuser
  credentiallevel: anonymous
  defaultsearchbase: dc=domain,dc=com
  defaultsearchscope: one
  defaultserverlist: servername.domain.com
  followreferrals: TRUE
  objectclass: top
  objectclass: DUAConfigProfile
  preferredserverlist: servername.domain.com
  profilettl: 43200
  searchtimelimit: 30
  Ldapclient output:
  bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
  Parsing profileName=sslnoproxyuser
  Arguments parsed:
  profileName: sslnoproxyuser
  defaultServerList: servername.domain.com
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  found 2 namingcontexts
  findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
  rootDN[0] dc=domain,dc=com
  found baseDN dc=domain,dc=com for domain domain.com
  Proxy DN: NULL
  Proxy password: NULL
  Credential level: 0
  Authentication method: 3
  No proxyDN/proxyPassword required
  About to modify this machines configuration by writing the files
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  ldap not running
  nisd not running
  nis(yp) not running
  file_backup: stat(/etc/nsswitch.conf)=0
  file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
  file_backup: stat(/etc/defaultdomain)=0
  file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
  file_backup: stat(/var/nis/NIS_COLD_START)=-1
  file_backup: No /var/nis/NIS_COLD_START file.
  file_backup: nis domain is "domain.com"
  file_backup: stat(/var/yp/binding/domain.com)=-1
  file_backup: No /var/yp/binding/domain.com directory.
  file_backup: stat(/var/ldap/ldap_client_file)=-1
  file_backup: No /var/ldap/ldap_client_file file.
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: network/ldap/client:default... maintenance
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: sleep 200000 microseconds
  restart: milestone/name-services:default... success
  Error resetting system.
  Recovering old system settings.
  Stopping network services
  Stopping sendmail
  stop: sleep 100000 microseconds
  stop: network/smtp:sendmail... success
  Stopping nscd
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: system/name-service-cache:default... success
  Stopping autofs
  stop: sleep 100000 microseconds
  stop: sleep 200000 microseconds
  stop: sleep 400000 microseconds
  stop: sleep 800000 microseconds
  stop: sleep 1600000 microseconds
  stop: sleep 3200000 microseconds
  stop: system/filesystem/autofs:default... success
  Stopping ldap
  stop: network/ldap/client:default... restoring from maintenance state
  stop: sleep 100000 microseconds
  stop: network/ldap/client:default... success
  nisd not running
  nis(yp) not running
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: open(/var/ldap/restore/defaultdomain)
  recover: read(/var/ldap/restore/defaultdomain)
  recover: old domainname "domain.com"
  recover: stat(/var/ldap/restore/ldap_client_file)=-1
  recover: stat(/var/ldap/restore/ldap_client_cred)=-1
  recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
  recover: stat(/var/ldap/restore/domain.com)=-1
  recover: stat(/var/ldap/restore/nsswitch.conf)=0
  recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
  recover: stat(/var/ldap/restore/defaultdomain)=0
  recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
  Starting network services
  start: /usr/bin/domainname domain.com... success
  start: sleep 100000 microseconds
  start: system/filesystem/autofs:default... success
  start: sleep 100000 microseconds
  start: system/name-service-cache:default... success
  start: sleep 100000 microseconds
  start: network/smtp:sendmail... success
  restart: sleep 100000 microseconds
  restart: milestone/name-services:default... success
  */var/ldap/cachemgr.log*
  Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
  Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
  Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
  Any ideas?
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
  Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

  Hi ,
  yes I use it.
  Here is my pam.conf:
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_dial_auth.so.1
  login auth binding pam_unix_auth.so.1 server_policy
  login auth required pam_ldap.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  # rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  # rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  rsh auth binding pam_unix_auth.so.1 server_policy
  rsh auth required pam_ldap.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth binding pam_unix_auth.so.1 server_policy
  other auth required pam_ldap.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy
  passwd auth required pam_ldap.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account binding pam_unix_account.so.1
  other account required pam_ldap.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1 server_policy
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  #

• OEL ldap client setup with SSL against OID using either ldaps or starttls

  Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
  Here's my /etc/ldap.conf file on OEL 5.3.
  timelimit 120
  bind_timelimit 120
  idle_timelimit 3600
  nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
  URI ldaps://FQDN:3132/
  port 3132
  ssl yes
  host FQDN
  base dc=DOMAIN,dc=com
  pam_password clear
  tls_cacertdir /etc/oracle-certs
  tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
  tls_ciphers SSLv3
  # filter to AND with uid=%s
  pam_filter objectclass=posixaccount
  #The search scope
  scope sub
  I have /etc/nsswitch.conf set to check for files first, then ldap
  passwd: files ldap
  shadow: files ldap
  group: files ldap
  Here's my /etc/openldap/ldap.conf file
  URI ldaps://FQDN:3132/
  BASE dc=DOMAIN,dc=com
  TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
  TLS_CACERTDIR /etc/openldap/cacerts
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
  4224de9f.0 -> oid-test-ca.pem
  I can run ldapsearch using ldaps and it works fine.
  ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
  But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
  Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
  Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

  Hello again...
  after some research and work together with Oracle Support I found out how to get it to work:
  1. You have to create your own ConfigSet in OID using
  SSL-Server-Authentication
  (OpenSSL seems not to support SSL-encryption-only).
  The following link shows on how to do that:
  http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
  2. Add the following lines to your $HOME/ldaprc
  TLS_CACERT /home/frank/oid-caroot.pem
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  ssl on
  tls_checkpeer no
  oid-caroot.pem is the CA-Root Certificate you got
  during step 1
  3. you should now be able to use ldapsearch using SSL
  If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
  I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
  Bye
  Frank Berger

• LDAP native solaris 10 server - client

  Hi,
  Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
  I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
  anyway, what i did:
  on the server:
  a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
  b. run idsconfig => this part goes without problem.
  when i go to try to add a client with hostA.ldif as:
  dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
  changetype: add
  cn: qates001
  iphostnumber: 10.38.133.124
  objectclass: top
  objectclass: device
  objectclass: ipHost
  goes and gives me ldap_add: No such object.
  and of course, when i go to the client and try to run
  ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
  if anybody can help, i really appreciate.
  thank you,
  ./antonio/.

  I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
  There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
  http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
  Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
  http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
  for the pam.conf, got things working.
  Note: ensure that your user has the shadowAccount value set in the objectClass