Problem on Solaris 10 Native ldap client.
Hi,
I have configured the DS 5.2 on Solaris 10 and it seems to be working.
I'm getting the answers from the ldapsearch command with the SSL.
./ldapsearch -h ismesl90 -p 636 -Z -P /var/ldap -D "cn=Directory Manager" -w password -b "cn=Password Policy,cn=config" "(objectclass=*)"
version: 1
dn: cn=Password Policy,cn=config
objectClass: top
objectClass: passwordPolicy
cn: Password Policy
passwordInHistory: 0
passwordStorageScheme: CRYPT
passwordUnlock: on
passwordMustChange: off
passwordNonRootMayResetUserpwd: off
passwordWarning: 86400
passwordExpireWithoutWarning: on
passwordLockout: off
passwordMinLength: 6
passwordMaxFailure: 3
passwordMaxAge: 8640000
passwordResetFailureCount: 600
passwordisglobalpolicy: off
passwordChange: on
passwordExp: off
passwordLockoutDuration: 3600
passwordCheckSyntax: off
passwordMinAge: 0
passwordRootdnMayBypassModsChecks: off
but on the client it complians about the connection:
ul 20 18:50:16 king ldap_cachemgr[2823]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server
Jul 20 18:50:16 king ldap_cachemgr[2823]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.
Jul 20 18:50:16 king ldap_cachemgr[2823]: [ID 186574 daemon.error] Error: Unable to refresh profile:default: Session error no available conn.
I have installed the latest patches on both machines and it didn't solved the problem.
The ldapsearch command that comes with the DS 5.2 works and the native doesn't.
I have create the keys and cert's and everything.
Have someone faced this problem?
Thanks,
Shalom
Message was edited by:
shalomG
I get the same error in /var/adm/messages of client and in client's cachemgr.log. Also, in cachemgr.log there is this error message:
Error: Unable to update from profile
I have searched Sun's JSDS documentation and I can't find any troubleshooting info for this problem, so I'm hoping that one of you has found a good solution to this problem-thanks. Some details of my setup:
Results of DS search issued from client:
myclient-root: /var/ldap:143)-> ldapsearch -h myserver -D "cn=pr
oxyagent,ou=profile,dc=example,dc=com" -w (removed) -b ou=profile,dc =example,dc=com objectclass=\*
version: 1
dn: ou=profile,dc=example,dc=com
ou: profile
objectClass: top
objectClass: organizationalUnit
dn: cn=proxyagent,ou=profile,dc=example,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword: (removed)
dn: cn=myprofile1,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultSearchBase: dc=example,dc=com
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
cn: myprofile1
bindTimeLimit: 10
preferredServerList: myserver
defaultServerList: myserver
authenticationMethod: none
credentialLevel: anonymous
profileTTL: 3600
dn: cn=myprovile2,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: myserver
defaultSearchBase: dc=example,dc=com
followReferrals: FALSE
defaultSearchScope: one
searchTimeLimit: 30
preferredServerList: myserver
cn: myprofile2
bindTimeLimit: 10
profileTTL: 3600
authenticationMethod: simple
credentialLevel: proxy
serviceCredentialLevel: proxy
serviceAuthenticationMethod: simple
dn: cn=myprofile3,ou=profile,dc=example,dc=com
objectClass: DUAConfigProfile
objectClass: top
cn: myprofile3
serviceAuthenticationMethod: simple
authenticationMethod: simple
bindTimeLimit: 10
followReferrals: FALSE
searchTimeLimit: 30
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
attributeMap: shadow:userpassword=userPassword
attributeMap: group:gidnumber=gidNumber
attributeMap: group:userpassword=userPassword
attributeMap: passwd:gecos=cn
attributeMap: group:memberuid=memberUid
attributeMap: passwd:loginshell=loginShell
attributeMap: passwd:gidnumber=gidNumber
attributeMap: passwd:homedirectory=unixHomeDirectory
attributeMap: passwd:uidnumber=uidNumber
attributeMap: shadow:shadowflag=shadowFlag
preferredServerList: myserver
serviceSearchDescriptor: passwd:dc=example,dc=com?sub
serviceSearchDescriptor: group:dc=example,dc=com?sub
serviceCredentialLevel: proxy
credentialLevel: proxy
profileTTL: 3600
defaultServerList: myserver
objectclassMap: group:posixGroup=group
objectclassMap: passwd:posixAccount=user
When I use profile with no authentication ( myprofile1 ), I do not get this error, but, I cannot change my user password ( the documentation says this is expected behavior which is why I'm trying to use proxy authentication )
Info from systems ( client and server ):
(myserver-root: /:281)-> showrev
Hostname: myserver
Hostid: (removed)
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: example.com
Kernel version: SunOS 5.10 Generic_127111-01
Directory Server Version Info:
Sun-ldbm/6.0(64-bit) SunOS 5.10 sparc
(myclient-root: /var/ldap:147)-> showrev
Hostname: myclient
Hostid: (removed)
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: example.com
Kernel version: SunOS 5.10 Generic_127111-01
Hoping someone out there has a fix for this.
Thanks.
Similar Messages
-
Hello,
Does anyone have advise for a solaris 7 ldap client? Is openldap/nss_ldap pretty much the standard? After comile & installation, editing /etc/nsswitch.conf & ldap.conf, what else needs to be done?
thanksIt is advisable to upgrade to Solaris8 + lastest Kernel and LDAPv2 patches, uninstall OpenLDAP Client Libraries and just use the SUN supported Solaris Native LDAP Client Libraries.
Assuming "idsconfig" has been run at the DS5.2 server end, to create the profiles and agent data, after that "ldapclient" should be run also at all ldap clients, it will setup /etc/nsswitch.conf, however you may need to adjust the "hosts: files ldap" to "hosts: files dns".
If you intend to use pam_ldap, lookup docs.sun.com for a recommended /etc/pam.conf
You may follow http://web.singnet.com.sg/~garyttt/
Gary -
Native ldap client doesn't work with an openldap Server : No root DSE data
Hello!
My configuration :
- an openldap 2.2.23 server (linux debian) (server name = serv_annu)
- a ldap client (solaris 10) (server name = client_annu)
I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
FROM CLIENT_ANNU:
+# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
version: 1
dn: dc=mydomain,dc=fr
dc: mydomain
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: nisDomainObject
nisDomain: mydomain.fr
o: mydomain
LOG FROM SERVER_ANNU:
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
3) I Add ACL in slapd.conf to allow reading of rootDSE.
access to dn.base="" by ssf=128 * read
4) I launch on my solaris client
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
+# ldapclient list+
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
+NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
NS_LDAP_SERVERS= server_annu
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
NS_LDAP_AUTH= tls:simple
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
FROM CLIENT_ANNU:
svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
+/etc/init.d/nscd stop;/etc/init.d/nscd start+
LOG FROM SERVER_ANNU:
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
FROM CLIENT ANNU :
+# /usr/lib/ldap/ldap_cachemgr -g+
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2008/04/02 09:58:12
Next refresh time: 2008/04/02 21:58:12
Server information:
Previous refresh time: 2008/04/02 09:58:32
Next refresh time: 2008/04/02 09:58:33
server: server_annu, status: ERROR
error message: No root DSE data returned.*
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
My problem is why I get the following error message : No root DSE data returned.
Thanks in advance for your help!Hi
Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
Regards,
Ludovic. -
Solaris 9 LDAP client sun_ssh public key authentication
I have directory server 6.0 up on solaris 9 system and I have a couple of solaris 9 system migrated to LDAP client. I need to configure ssh public key authentication on two Solaris 9 LDAP clients. However, I seem can't make it working. I have done 1) generate rsa public/private key pairs on one host 2) cat public key to the authorized_keys file on another host. I checked the permission on $HOME and $HOME/.ssh, they both set to 700. The file permission are also correct. But I still get prompt when ssh from one LDAP client to another. If I add my password/shadow entry back to local files, then public key authentication works. My /etc/pam.conf is set up according to the Sun documentation for LDAP client. In /etc/nsswitch.conf
passwd: compat
passwd_compat: ldap
shadow: files ldap
group: files ldap
netgroup: ldap
loginShell does exist for the user.and LDAP entry has objectClasses 'posixAccount' and 'shadowAccount'
I have latest patch 112960 installed on all of LDAP clients.
What am I missing here?
Thanks,
--xinhuanOne more thing - I have latest patch 112960 installed on all of LDAP clients.
--xinhuan -
I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?
Hi,
While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade. -
Solaris 10 LDAP Client: libsldap: Status: 4
Hi everybody.
I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
What I have done is changed the value:
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
Where <hostname> is the respective hostname.
After that, everything works as I expect, but I get a lot of these messages:
sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
Should I ignore the messages? This is the nsswitch.conf file:
/etc/nsswitch.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files ldap
group: files ldap
hosts: cluster files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: cluster files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
user_attr: files
I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
Any suggestions?What would I do without google?
http://prefetch.net/blog/index.php/2005/01/
I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com. -
Hi,
Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
Thanking you,
Narenhi mukherjee,
you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
PATEL -
Solaris 10 - ldap client - tls/ssl - password change
we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.Not that it helps any but I am getting his same error. I am also using 6.3.1
-
help with client
error on ldap_client_file
ldap_client_credHi,
Yes it can be done provided U've given proper information during configuring.The sun machine which is to be used as a client should be installed as a ldap client "at the time of installation ldap client option should be chosen. -
Solaris 10 LDAP Clients Intermittently Fail
I'm working on a rather puzzling issue with some of our Solaris 10 systems authenticating against DSEE 6.3. These clients previously worked without issue but starting last week SSH connections would hang for a few minutes and then start working again. This never happened on more than one system at a time.
I found the following messages in /var/adm/messages during the time we have these problems:
Apr 27 08:04:57 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:05:47 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
... many of these
Apr 27 08:10:07 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:17 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:31 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (81): Can't contact LDAP server.
To test connectivity to the LDAP server I have a ldapsearch running every 15 seconds an logging the time it took and checking for correct results. during the time that I see the libsldap messages and ssh connections are hanging, the ldapsearch command continues to run fine without slowing down.
A final note is that all three of the problem systems are on the same subnet and systems outside of this subnet aren't having any problems with the same configuration. My first thought was the firewall but ldapsearch continues to work.
Does anyone know if nscd tries to keep the LDAP connection open. Looking at the logged messages it appears as though it gives up after 5 minutes or so, throws the LDAP ERROR (81) and then starts to work again.
Any ideas would be appreciated. This one is making me crazy (crazier).
Thanks.rukbat wrote:
Has anything changed in that time frame?
Any physical changes such as office-moves? new hires? lay-offs?
Could there have been any modifications to the networking hardware such as lengthening the cabling? Is it possible to re-route the subnet to different switches or to different posts on the switches? You might consider snooping the traffic to watch how it traverses the paths to the LDAP server.
If there are other systems on the subnet, do they experience any sort of timeouts ( even if it is to unrelated tasks such as database access or surfing to the Intranet/Internet ) ?
... just random thoughts from a hardware perspective.Given that this started after a maintenance night I'm sure you are correct and something changed. However there are no changes in the maintenance plan that could cause this and nobody will own up to any additional changes. This leaves it to me to try to find what is causing the failure so I can get it corrected.
These are the only three Unix systems on that subnet and they are all experiencing the problem so I don't have anything that is working to compare them to except for the other systems that aren't on that subnet. The other systems are working fine with the same configuration. That's why I'm thinking that it is something external to the problem systems.
Given that all other services on these systems are working, I'm not currently exploring a hardware type failure.
I've been running pfiles on nscd and it appears that it is indeed holding a connection to the LDAP server open (if I'm reading it correctly). The inode assocated with #8 hasn't changed. So my current theory is that maybe the firewall is killing off long connections after a while. This appears to be consistent with the log entries where I get many ERROR (85) and then a final (81). I'm thinking that after the ERROR 81, it re-opens the connection. Just guesses though.
8: S_IFSOCK mode:0666 dev:329,0 ino:3753 uid:0 gid:0 size:0
O_RDWR|O_NONBLOCK
SOCK_STREAM
SO_SNDBUF(49152),SO_RCVBUF(49680),IP_NEXTHOP(0.0.194.16)
sockname: AF_INET6 ::ffff:10.1.50.50 port: 42758
peername: AF_INET6 ::ffff:10.1.52.25 port: *636* -
Solaris 10 LDAP Client to 389 DS(Linux)
Hey guys,
I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
When I - su Username the system responds prompting for password then returns su: Uknown id: Username
When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
Here is my pam.conf file -
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
Thanks,
TedCN,
I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
# more /etc/pam.conf
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
Thanks,
Ted -
Solaris 10 Ldap Client user authentication against edirectory
Hello,
We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
Thanks
ukgreenmanI have a similar question.
Did you have a solution ?
thanks -
Solaris ldap client problem (tls:simple + anonymous)
Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
# -
OEL ldap client setup with SSL against OID using either ldaps or starttls
Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger -
LDAP native solaris 10 server - client
Hi,
Can someone give me some link or instructions on how to configure a solaris 10 to be a Native Ldap server and i need also to have a client that will run on solaris 10 also.
I did follow PeterVG post, but have tried so many times that i need to do a clean install and get it from scratch.
anyway, what i did:
on the server:
a. set domain, add hots, install pkgs, and run directoryserver setup (it gives me some warning saying that i have an already installed instance, but i keep on trying).
b. run idsconfig => this part goes without problem.
when i go to try to add a client with hostA.ldif as:
dn: cn=hou-sol-dev,ou=hosts,dc=qatestit,dc=com
changetype: add
cn: qates001
iphostnumber: 10.38.133.124
objectclass: top
objectclass: device
objectclass: ipHost
goes and gives me ldap_add: No such object.
and of course, when i go to the client and try to run
ldapclient -v init ... with the server information gives me a fail, with some old dc=domain (which i have changed later).
if anybody can help, i really appreciate.
thank you,
./antonio/.I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
for the pam.conf, got things working.
Note: ensure that your user has the shadowAccount value set in the objectClass
Maybe you are looking for
-
How to detect imbedded image inside GroupWise email?
Hi, I am using GroupWise 8.0. I created a new mail and used File->Attachments->Attach Files...to attach files, and selected one MS WORD and one Excel file to attach to this emai. Then I launched Paint to open a jpg file name image.jpg, selected the i
-
How to realize retiree (inactive employee) payroll result posting to FICO?
Hi, Now I have one requierment: the retiree who postion is '99999999' need to run payroll and posting. now I have make the retiree run payroll by change It0003. but I don't know how to make the payroll result posting ,because no cost centre. who ca
-
No response when export EXCEL from Mapping in FDM
Dear All, I am using FDM 11.1.1.3. And, install as usual. I cannot export Excel from Mapping in FDM. The screen is just keep waiting for long long time. How to fix it? Thanks for all. Karen
-
Itunes always freezes on start up
itunes freezes on startup for some reason now, can somebody help? hp pavilion 514c Windows XP
-
Is it possible to have the background colour of a field change based on the entry?
I previously obtained help from a user here to create a script that autopopulates a field based on options selected in two sets of radio buttons: var consequence = this.getField("Consequence").valueAsString; var likelihood = this.getField("Likelihoo