Radius or LDAP (not Oracle LDAP) authentication for GridControl

I'm running GC 10.2.0.3.0 on Oracle Linux, and I'd like to be able to open up GridControl to other users without setting up accounts/passwords for them. Accounts I can handle, passwords, I don't want to handle.
I see that if I create a new GC user via enterprise manager, a new database accout is also created in the EMREP database. I've configured our EMREP database to use radius authentication and it works when I connect via sqlplus to the EMREP database. The user is set to authenticate "externally" and os_authent_prefix is set to ''.
However, after I set up external authentication for a given user, they are no longer able to login to enterprise manager using their radius authenticated password. So something about EM is not capable of radius authentication with the local EMREP database?
Questions for all:
Is it possible to authenticate users of enterprise manager GridControl against an external password store? I have at my disposal: radius (works great for several of our databases), ActiveDirectory (without oracle schema extensions), LDAP (active directory), proxying the EM server with another Apache server.
I do not have a license for OID and the "free use" license for OID does not allow for user management. We cannot we purchase OID for this purpose.
Our GC environment is Linux so Windows OS authentication against AD isn't going to work and we need to support Firefox/IE/Other browsers on various OS's.
I've seen hints that "external authentication" is possible with "generic" sources, but nothing concrete. Anyone doing this?

<QUOTE>All I want now is the capability to perform my own method of LDAP BIND to AD to be used as a security plugin to the database authentication piece</QUOTE>
Amen.
Right now, I've got an SR open on the radius authentication issue in GC. It took me a two weeks to convince the Oracle tech that I wasn't talking about getting Oracle to use OS authentication where OS users were authenticated by radius.
I've put about 40 actual work hours in on this issue, going so far as to deconstruct the EM install .jar files and trying to replace the JDBC drivers.
At this point I believe that it would be relatively easy for Oracle to add Radius authentication support to Grid control in their next big release (11g).
Doing so would involve replacing the 10g JDBC thin drivers with 11g JDBC thin drivers. The 10g thin jdbc drivers support advanced security encryption and checksums, but not the radius authentication. The 11g thin drivers DO implement the radius option as well as a full complement of encryption checksum types not supported in 10g. From there it should be a simple matter of the EM java login procedure/bean/servlet/jsp being able to set the thin driver to use the radius code in the jdbc layer.
The other option, which I haven't yet given up on would be to hack the EM code so that instead of using 10g thin drivers it uses 10g OCI jdbc (thick) drivers. The thick drivers support the radius authentication and encryption/checksum features natively, and the settings are controled by the sqlnet.ora file. I've got java code using those just fine. If only I could hack EM to use them.
In short, if I had access to the source, I could probably code this up in a week. Very frustrating.
I thought about trying the OID route, but as I said in my original post, we don't have a license. Even if I got it working, and it sounds like it doesn't really work, I can't justify spending $x00,000 for 10-15 dbas not to have to use dedicated accounts and passwords.
Normal user login to our 9i and 10g databases we have working with radius (backed by Active Directory). All we do is "create user xxxxxx identified externally;" and the user is good to go.
In short, I think EM GridControl is awesome. I manage 36 databases with it and I've solved problems in minutes that used to take hours or days. When I show it to some of our oracle "power users" they all want it, but they're all radius authenticated.
I'll keep the thread updated if I see results from our SR.

Similar Messages

How to enable LDAP authentication for APEX

How do I enable LDAP authentication for APEX 4.2? Thank for your help.
Kevin

you need to create new authentication based on predefined LDAP authentication from shared components => Authentication
and provide your company LDAP authentication credentials

Not receiving Email authentication for apple id..

I was helping my mom create and apple id for her all ne Ipad and we are not receiving Email authentication for apple id.. Security question is being answered correctly but said that "The authentication information provided does not match our records. Please verify your personal information and try again"
We have already created to apple ids from 2 different email address and the issue is still the same.
<Email Edited by Host>

Do you have a rescue email address on the account ? If you do then you've checked the inbox and spam folder on that email account as well ? If it's not there either, and you've tried requesting the reset email again, then you could try contacting Support in your country and see if they can re-enable the account for you.
Contacting Apple about account security : http://support.apple.com/kb/HT5699

How to use two different LDAP authentication for my Apex application login

Hi,
I have 2 user groups defined in the LDAP directory and I provided the DN string for apex authentication something like the below
cn=%LDAP_USER%,ou=usergrp1,dc=oracle,dc=com
cn=%LDAP_USER%,ou=usergrp2,dc=oracle,dc=com
The problem is I couln't pointout both the groups in DN string, I am trying to allow both usergroups to access the application.
Does anyone know how to define both the group in LDAP DN String ?.
Thanx in advance
Vijay.

Vijay,
I don't think you'll be able to use the built-in LDAP authentication scheme. Just create a new authentication scheme that has its own authentication function. In that function code your calls to dbms_ldap however you need. Search the forum for dbms_ldap.simple_bind_s to find examples.
Scott

LDAP Authentication for Application APEX 3.2

Dear All,
I have created an application in APEX 3.2 for that i am using the below code for authentication all my domain users
create or replace
FUNCTION              "ADS_LDAP_AUTHENTICATE"
(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN AS
c_Directory   VARCHAR2(50) ;
c_Port        NUMBER(4);
c_BaseDN      VARCHAR2(200);
c_InitUser    VARCHAR2(200);
c_InitPass    VARCHAR2(32);
l_session     DBMS_LDAP.SESSION;
l_success     PLS_INTEGER;
l_attributes DBMS_LDAP.STRING_COLLECTION;
l_result      DBMS_LDAP.MESSAGE;
l_userdn      VARCHAR2(2000);
CURSOR get_authentication_dtls
IS
SELECT domain_name,server_port,server_base_dn,server_principal,server_credentials
FROM    PS_TB_SYSTEM_ADS_CONFIG_DICT;
BEGIN
OPEN get_authentication_dtls;
LOOP
FETCH get_authentication_dtls INTO c_Directory,c_port,c_baseDN,c_InitUser,c_InitPass;
EXIT WHEN get_authentication_dtls%NOTFOUND;
--Open initial lookup session.
l_session := DBMS_LDAP.INIT(c_Directory,c_Port);
l_success := DBMS_LDAP.SIMPLE_BIND_S(l_session, c_InitUser,c_InitPass);
IF l_success = DBMS_LDAP.SUCCESS THEN
    l_attributes(1) := NULL;
    l_success := NULL;
    l_success := DBMS_LDAP.SEARCH_S(ld => l_session,
                                   base => c_BaseDN,
                                   scope => dbms_ldap.scope_subtree,
                                   filter => '(|(sAMAccountName=' ||p_Username || ')(mailNickname=' || p_Username || '))',
                                   attrs => l_attributes,
                                   attronly => 0,
                                   res => l_result);
    IF l_success = DBMS_LDAP.SUCCESS THEN
      l_userdn := dbms_ldap.get_dn(l_session,dbms_ldap.first_entry(l_session,l_result));
      IF l_userdn IS NOT NULL THEN
        l_success := dbms_ldap.unbind_s(l_session);
        l_session := dbms_ldap.init(c_Directory,c_Port);
        l_success := dbms_ldap.simple_bind_s(l_session, l_userdn,NVL(p_password, 'QWERTASDFZXC'));
      END IF;
    END IF;
else
    return FALSE;
END IF;
IF l_success = DBMS_LDAP.SUCCESS THEN
CLOSE get_authentication_dtls; /* Close cursor before returning */
    RETURN TRUE;
END IF;
END LOOP;
CLOSE get_authentication_dtls;
   RETURN FALSE; /* if the success has not happened till all servers processed, then return FALSE */
EXCEPTION
WHEN OTHERS THEN
    RETURN FALSE;
END;
Now i dont want to allow all the domain user to access my application. So we planned to create a user group in active directory.
Can anyone suggest me how to allow only a set of users to access my application using LDAP.
Thanks in Advance.
Cheers,
San.

Use the below link for Ldap Authentication
LDAP (MS AD) Group Authentication

Problem with LDAP authentication for users in a group

I've gone through several forums attempting to find a solution, but I still can't get authentication to work for users in a particular group within AD. Our ASA is running 9.1(2), and the domain controller is a Windows Server 2012 R2.
I can configure the VPN connection, so that all users can authenticate just fine; however, when I setup the group, there appears to be success, but I'm reprompted to authenticate, and it eventually fails:
[6707] memberOf: value = CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com
[6707] mapped to IETF-Radius-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] mapped to LDAP-Class: value = GroupPolicy_COMPANY_SSL_VPN
[6707] msNPAllowDialin: value = TRUE
I'd be grateful if anyone can point me into the right direction and show me what I'm doing wrong. Thank you.
ldap attribute-map AuthUsers
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=VPN Access,OU=COMPANY Groups,DC=COMPANY,DC=com" GroupPolicy_COMPANY_SSL_VPN
aaa-server LDAP protocol ldap
aaa-server LDAP (COMPANY_PROD_INTERNAL) host 10.10.100.110
ldap-base-dn DC=COMPANY,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAPAuth,CN=Users,DC=COMPANY,DC=com
server-type microsoft
ldap-attribute-map AuthUsers
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_COMPANY_SSL_VPN internal
group-policy GroupPolicy_COMPANY_SSL_VPN attributes
wins-server none
dns-server value 10.10.100.102
vpn-tunnel-protocol ikev1 ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value net.COMPANY.com
webvpn
anyconnect profiles value COMPANY_SSL_VPN_client_profile type user
tunnel-group COMPANY_SSL_VPN type remote-access
tunnel-group COMPANY_SSL_VPN general-attributes
address-pool COMPANY-SSL-VPN-POOL
authentication-server-group LDAP
authorization-server-group LDAP
authorization-server-group (COMPANY_PROD_INTERNAL) LDAP
default-group-policy NOACCESS
authorization-required
tunnel-group COMPANY_SSL_VPN webvpn-attributes
group-alias COMPANY_SSL_VPN enable
tunnel-group COMPANY_SSL_VPN ipsec-attributes
ikev1 pre-shared-key *****

I just figured it out. Under "group-policy GroupPolicy_COMPANY_SSL_VPN attributes", I had to add "vpn-simultaneous-logins 15". Apparently, it was using the value "vpn-simultaneous-logins 0" under the NOACCESS group policy.

LDAP Authentication for OSB Services

Hi ,
I would like to know how to secure proxy services to be accessible to only selected users in a given LDAP configured under weblogic "Providers".
For example only users test1 and test2 must be able to access the proxy service and the methods.
Also is similar type of access control possible with roles?ie only users assigned to a particular role must be able to access the proxy service.
Please note we don't want to use OWSM for this.
Thanks.

Please refer section "45.5 Access Control Policies" at -
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/model.htm#i1063159
Also refer -
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/message_level_cust_auth.htm#i1069719
Regards,
Anuj

Error in LDAP Authentication for Sun One App Server 8..pls help

I need to authenticate my sun java system application server 8 with openldap server.....
i have added ldap realm as given in the administrators guide http://docs.sun.com/source/817-6088/security.html
My settings in the sun app server were like this:
Realm: ldap
Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
directory ldap://10.1.1.79:389
base-dn o=stooges
jaas-context ldapRealm
search-bind-dn cn=StoogeAdmin,o=stooges
search-bind-password secret1
My openldap schema is as follows
file : /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
database ldbm
suffix "o=stooges"
rootdn "cn=StoogeAdmin,o=stooges"
rootpw secret1
directory /var/lib/ldap/stooges
defaultaccess read
schemacheck off
lastmod on
index cn,sn,st pres,eq,sub
index uid,userPassword eq
file : /var/lib/ldap/stooges/stooges.ldif
dn: o=stooges
objectClass: top
objectClass: organization
o: stooges
description: The Three Stooges
dn: cn=StoogeAdmin,o=stooges
objectClass: organizationalRole
cn: StoogeAdmin
description: LDAP Directory Administrator
dn: ou=MemberGroupA,o=stooges
ou: MemberGroupA
objectClass: top
objectClass: organizationalUnit
description: Members of MemberGroupA
dn: ou=MemberGroupB,o=stooges
ou: MemberGroupB
objectClass: top
objectClass: organizationalUnit
description: Members of MemberGroupB
dn: uid=vikram,ou=MemberGroupA,o=stooges
uid:vikram
givenName:vicky
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:inetorgperson
sn:kone
cn:Kone Vikram
userPassword:glamsham
When i start ldap server and sun server,
the login page for sun server asks for username and password ....
when i give
username : vikram
password : glamsham
Error page comes.....
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
Sun-Java-System/Application-Server-PE-8.0
Subsequent attempts to login gives another error page
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
com.sun.enterprise.tools.guiframework.exception.FrameworkException: Unabled to handle pre-compiled JSP '/jsp/j_security_check'. Expected pre-compiled classname: 'org.apache.jsp.jsp.j_005fsecurity_005fcheck'.
com.sun.enterprise.tools.admingui.servlet.HandlePrecompiledJsp.doPost(HandlePrecompiledJsp.java:59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:768)
javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:289)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:205)
note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server-PE-8.0 logs.
Sun-Java-System/Application-Server-PE-8.0
So pls... help as to how to go about this..
P.S. My ldap server runs as "ldap" user not as root

Try with "vikram" as a member of "cn=asadmin" group in your LDAP directory...

AD LDAP authentication or authorization

Hi,
It really drives me crazy because I can't seem to find the right solution for my issue.
I'm trying to use the LDAP authentication for my apex applications.
So far, straight forward LDAP authentication works just fine, but EVERYBODY who has a user account can log into any application.
I'm using the %LDAP_USER% string to validate the users and that's just fine.
But I want to restrict somehow users from logging into my applications.
Either way by ldap groups or an users table in every application.
Can someone please help me with this, or give me directions/examples of login functions/schemes?
Thanks so much!
Regards, Bas

What you have done so far is called Authentication. It's the question of "who am I?"
What you want to add is called Authorization, which is the "what can I do?"
So, you need to create an Authorization Scheme to secure components of your application. An authorization scheme can secure almost any component of an APEX app including:
- The application
- Pages
- Tabs
- Regions
- List items
- Items
- Columns in reports
- More that I'm not thinking of
Look at the doc on authorization schemes. You have 2 primary options that I can think of:
1) Use LDAP groups by using the APEX_LDAP package to lookup information about a user. I'm not sure if the member_of function works against AD or just OID, you might need to use the get_attribute function instead. In short, you query AD, then return true or false based on the attributes of the user. Once they are logged in you can reference the username with the :APP_USER APEX variable
2) A table of usernames (not passwords). You authorization scheme could just be an "Exists query" such as:
select 1 from valid_users where username = :APP_USEROnce you decide on an authorization scheme and create it, you then edit the security attributes of your app / page / region / etc and apply it
Tyler Muth
http://tylermuth.wordpress.com
"Applied Oracle Security: Developing Secure Database and Middleware Environments": http://sn.im/aos.book

Solaris 10 and LDAP Authentication

Were trying to use LDAP authentication with Solaris 10 accounts and Sun One Java Systems Directory Server 5.2, where there won't be no /etc/passwd or /etc/group user entries, ( only entries for system accounts). The Sun One Java Systems Directory Server 5.2 is on a separate machine from the accounts. Both machines are using Solaris 10.
I first ran the "idsconfig" utility to setup the VLV indexes, but I received an error on the "automountKey" when it was doing the index processing. It showed that the index processing had failed. All the other indexes were configured successfully. What would cause this?
My next step is initializing the LDAP Client . Then configure the pam.conf file to use pam_ldap. Finally import all the users into LDAP with the required ObjectClasses and attributes for the authentication process, (posixAccount, shadowAccounts etc.). This also includes adding the automount entries into LDAP, which I'm really not sure how to do that. All of our users paths will be under /export/home/username.
I'am missing any steps?
Doese anyone have a step by step guide to use LDAP authentication for Solaris 10 accounts, where LDAP will manage the groups, passwords, automounts for each user?
Message was edited by:
automount
Message was edited by:
automount

You may follow:
http://web.singnet.com.sg/~garyttt/
http://projects.alkaloid.net/content/view/15/26/
http://blogs.sun.com/roller/resources/raja/ldap-psd.html
http://jnester.lunarpages.com/howtos/solaris/howToSolarisLDAPAuth.html
http://www.thebergerbits.com/unix.shtml
http://blogs.sun.com/roller/page/baban?entry=steps_to_setup_ssl_using (SSL/TLS steps)
http://blogs.sun.com/roller/page/rohanpinto?entry=nis_to_ldap_migration_guide (NIS to LDAP migration)
http://blogs.sun.com/roller/page/anupcs?entry=ldap_related_documentation_at_sun
(LDAP related docs)
Gary

How to do LDAP authentication in OC4J instance?

Need to configure third party LDAP authentication for an application deployed in OC4J instance. How to configure this?

Hi,
I think that links will be useful to you!
http://download-uk.oracle.com/docs/cd/B15904_01/web.1012/b14013/configoc4j.htm
http://www.oracle.com/technology/sample_code/tech/java/codesnippet/security/jaznldap/index.html
Afonso

CUC 8.5.1 IMAP - LDAP Authentication

I have Unity Connection 8.5.1. It is setup for LDAP Sync. It's set to use LDAP Authentication for users. The passwords and search bases are correct becasue I can authenticate for inbox/PCA and admin. It's using SSL and I have changed the Server information to the host name to match the certificate installed. There are no custom filters.
I am trying to get CUPC Voicemail configured and it keeps telling me credentials are rejected.
I connect to IMAP using telnet <server ip> 143
attempting to login using 02 login username password
it returns 02 NO Logon Failure: unknown user or incorrect password.
If I create a user not linked to ldap I can login with username and web password.
I have even restarted the servers after changing ldap server to hostname.
The LDAP user has the same COS that is assigned to non-ldap user that I am able to log in with.
Any other suggestions?

Hi,
Sounds like you're hitting
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr94356
Brad

How to include all the child OU groups of a master OU group in LDAP authentication

Dear All,
I am using Apex 4.2 on windows server 2012 on internet explorer with database 11g R2 all 64 bit.
we are using Microsoft Active Directory Authentication in our domain.
I have created two protals, Staff Portal and Student Portal
I have two groups, Staff and Students. these two groups coming under HCT group.
I want to configure LDAP authentication for these groups, so that student cannot login to staff portal and vice versa.
I had created on authentication schema in apex.
inititally I configured as below
for example I have a group ETC, inside ETC I have CSS in active directory,
DN String=cn=%LDAP_USER%,dc=hct,dc=org
Use Exact distinguish name=YES
LDAP Username edit function=
return apex_escape.ldap_dn (
p_string => :USERNAME,
p_escape_non_ascii => false ) || ',ou=users,ou=css,ou=etc,ou=staff,ou=hct' ;
Username Escaping=NO ESCAPING
and it is working,
now I have another group under ETC, which is ESS. how to include ESS also? I mean how to include all the child groups of a master group?
because I will then only include the STAFF ou and the rest of the ou which coming under staff will come automatically.
please refer to this thread for more details.
Re: Re: Different LDAP authentication for Student and Staff Active directory groups
Thank you.

Powershell (or vbscript if you want to be old school).
You can trigger a powershell script which will remove the offending user(s) easily enough with out resorting to a TOLDAP pass. Nearly any script type thing would work but powershell is preferred. It can be triggered separately from the TO AD stuff and will take multiple objects to run in one pass if you can construct the command line (or create a text file and feed it in).
Otherwise, TOLDAP is the way to write to AD...
Peter

Configuring Oracle 9iAS for LDAP Authentication

I have installed OID Server on my PC. Now I want to switch my Login Server to External LDAP Authentication mode. For that I run the script ssoldap.sql passing the host, port, search base, etc.. from my login server schema (portal30_sso) The script throws me the following error :
" Bind variable "CN" not declared ".
I even compile the package ssoxldap.pkb before that. But still this error persists.
tnsnames.ora and listener.ora files are fine and the tnsping to the external procedure is also working properly.
Can anyone help me in this.

I got that problem solved. Its little bit funny solution. Instead of running the sql file using the File->open->ssoldap.sql, we should directly write the whole path i.e. @d:\oracle9i\portal30\admin\plsql\sso\ssoldap.sql
And secondly, I also found one small change related to the installation manual. Its related to Adding entries to the LDAP Server. the manual shows this syntax:
ldapadd -h i3dt111 -p 389 -D 'cn=orcladmin'
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
but instead we shoud write this:
ldapadd -h i3dt111 -p 389 -D cn=orcladmin
-w welcome -f d:\oracle\admin\phd\udump\users.ldif
. Just remove the single quotes in the username string.
Anyways, thanks for your suggestions.
null

Ldap authentication not working for Solaris 8 host - Help!

Greetings folks,
I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
My /etc/nsswitch.conf looks like this:
passwd: files ldap
group: files ldap
My /etc/pam.conf looks like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
hostname# getent passwd user1
user1::1001:1001:User 1:/opt/home/user1:/bin/bash
hostname# ldaplist -l passwd user1
dn: uid=user1,ou=people,dc=mydomain,dc=com
shadowFlag: 0
userPassword: {crypt}(removed)
uid: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: user1
uidNumber: 1001
gidNumber: 1001
gecos: User 1
homeDirectory: /opt/home/user1
loginShell: /bin/bash
However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
Any ideas?
Thanks!
Patrick

I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
2) Did you test and verify telnet/ftp/su working? but SSH not working?
3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Gary

Radius or LDAP (not Oracle LDAP) authentication for GridControl

Similar Messages

Maybe you are looking for