Solaris 10 LDAP Clients Intermittently Fail

I'm working on a rather puzzling issue with some of our Solaris 10 systems authenticating against DSEE 6.3. These clients previously worked without issue but starting last week SSH connections would hang for a few minutes and then start working again. This never happened on more than one system at a time.
I found the following messages in /var/adm/messages during the time we have these problems:
Apr 27 08:04:57 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:05:47 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
... many of these
Apr 27 08:10:07 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:17 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:31 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (81): Can't contact LDAP server.
To test connectivity to the LDAP server I have a ldapsearch running every 15 seconds an logging the time it took and checking for correct results. during the time that I see the libsldap messages and ssh connections are hanging, the ldapsearch command continues to run fine without slowing down.
A final note is that all three of the problem systems are on the same subnet and systems outside of this subnet aren't having any problems with the same configuration. My first thought was the firewall but ldapsearch continues to work.
Does anyone know if nscd tries to keep the LDAP connection open. Looking at the logged messages it appears as though it gives up after 5 minutes or so, throws the LDAP ERROR (81) and then starts to work again.
Any ideas would be appreciated. This one is making me crazy (crazier).
Thanks.

rukbat wrote:
Has anything changed in that time frame?
Any physical changes such as office-moves? new hires? lay-offs?
Could there have been any modifications to the networking hardware such as lengthening the cabling? Is it possible to re-route the subnet to different switches or to different posts on the switches? You might consider snooping the traffic to watch how it traverses the paths to the LDAP server.
If there are other systems on the subnet, do they experience any sort of timeouts ( even if it is to unrelated tasks such as database access or surfing to the Intranet/Internet ) ?
... just random thoughts from a hardware perspective.Given that this started after a maintenance night I'm sure you are correct and something changed. However there are no changes in the maintenance plan that could cause this and nobody will own up to any additional changes. This leaves it to me to try to find what is causing the failure so I can get it corrected.
These are the only three Unix systems on that subnet and they are all experiencing the problem so I don't have anything that is working to compare them to except for the other systems that aren't on that subnet. The other systems are working fine with the same configuration. That's why I'm thinking that it is something external to the problem systems.
Given that all other services on these systems are working, I'm not currently exploring a hardware type failure.
I've been running pfiles on nscd and it appears that it is indeed holding a connection to the LDAP server open (if I'm reading it correctly). The inode assocated with #8 hasn't changed. So my current theory is that maybe the firewall is killing off long connections after a while. This appears to be consistent with the log entries where I get many ERROR (85) and then a final (81). I'm thinking that after the ERROR 81, it re-opens the connection. Just guesses though.
8: S_IFSOCK mode:0666 dev:329,0 ino:3753 uid:0 gid:0 size:0
O_RDWR|O_NONBLOCK
SOCK_STREAM
SO_SNDBUF(49152),SO_RCVBUF(49680),IP_NEXTHOP(0.0.194.16)
sockname: AF_INET6 ::ffff:10.1.50.50 port: 42758
peername: AF_INET6 ::ffff:10.1.52.25 port: *636*

Similar Messages

Patching solaris LDAP client

i will have to patch a solaris LDAP client box. What do I expect for that? Do I have to rel-initialize the client using ldapclient command after patching?
solaris 8 + LDAP server 5.2 unbundled version.
Thanks

From previous experience if your slapd is not running on your LDAP server then your clients will not boot if they are setup for ldap domain authentication. This is the same in NIS and NIS+. The only way to bring them up is to boot -s and change the nsswitch.conf file back to standalone i.e files and reboot machine.
In short if ldap server goes down clients are too, multi ldap servers are required to prevent single point failure.

Proxy agent in solaris ldap client

Since ldap service provides naming service, that is supposed to be accessed by anyone who needs it, I don't know why we need a proxy agent when we set up solaris ldap client. The anoymous credential level is enough.
Also in order to use proxy agent, this agent needs to have at least read access to all naming entries, including userPassword, encrypted or clear-text. This adds some sort of in-security. While service authentication method "simple" will simply bind to the ldap server using provided password. Of course, you can still add another layer of security by using TLS.
So, can anyone explain this design a little more?
Thanks.

My input on this subject may seem a bit paranoid, but that's what I get paid for, so take this with a gain of salt 8-)
The proxy agent does not need to have read access to the userPassword attribute if you configure your clients to use pam_ldap instead of pam_unix. pam_unix retrieves the userPassword attribute by making a call to getspnam. With pam_ldap, the user dn and password are sent to the directory server in an auth structure, and the directory server will return success or failure to the client for that login attempt. More info on this can be found at http://docs.sun.com, or in the book "LDAP in the Solaris Operating Environment, Deploying Secure Directory Services" by Michael Hains and Tom Bialaski (ISBN 0-13-145693-8) pgs 177-179.
Use of the proxy agent can actually increase the level of security for your directory server. With the proper ACI's in place not allowing anonymous binds to view the data in the tree (or only view a small subset of the tree), you can prevent anyone from dropping a laptop or other device on your network and data mining your LDAP tree for information (ie vendors, guests, etc). That won't stop those same people from snooping the traffic on your network, so the use of secure protocols are the other side of that, but implementing tls:simple authentication for the directory server and clients is not that difficult, and should be considered for any deployment of LDAP for use as a naming server.
I do agree with your assessment that in an environment where anonymous binds are accecptable the use of the proxyagent is probably not warrented, but in my experience having the proxyagent has allowed me to tighten the security of my directory implementation .

Solaris ldap client problem (tls:simple + anonymous)

Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Solaris ldap client + first login problem (with home user)

hi, i have autenticate my solaris 10 (6/06) clients with a ldap server (sun 1 ds 5.2) withnout TLS (in the future sure).
I test this communication with ethereal, and i think the communications its ok.
But, when my user loggin for first time, he havent got a home directory, (in linux clients (fedoras) i configure pam and gdm to do this -with a kde desktop-), but here in solaris i dont know how to made this.
i have this problem (in a root session with entry "toto1" in dit)
# su - toto1
su: No directory!
I set (for toto1 entry) in attributte homedirectory in objectclass posixAccount a value "/home/toto1".
�How and how have the responsabilities to make home directories?
�the solution are like "linux solution", and if this is true, what files i must to touch for java desktop or cde?
Thanks!!!

One minute...!! How you made it work?I too have fedora DS Configured and want to configure Solaris Client.The #getent and #-ldaplist is displaying correct but login is now working.I guess PAM issue?how you resolved??

Ldap client in Solaris using TLS

I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
My LDAP clients are
- Linux (redhat and mandriva)
- Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
- Tru64 (5.1B)
If a use simple authentification all works fine (search in LDAP,
authentification and automount).
However, when I use TLS the Solaris LDAP client doesn't seem to work.
When I run the LDAP client the process freeze
With my Linux and Tru64 clients all work fine using LS.
I have downloaded the certificates from my LDAP server using Netscape browser.
I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
"chmod 644" in this files.
I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
The last logs of the ldap_cachemgr are:
Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
If I do a truss when I launch the client the
result was this:
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
This is my ldap_client_file:
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= srvldap
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= tls_profile
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
Does anyone have an idea on getting Solaris using TLS/SSL?
Thanks.

LDAP Setup and Configuration Guide
Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
[http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
Download this book in PDF (557 KB)
[http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

Help with setting up LDAP Client on Oracle Linux 6.4

Hi,
I'm having problems getting my Oracle Linux server setup as a ldap client and hoping someone can find where I'm going wrong. We have Oracle/Sun Directory Server 7 with Solaris ldap clients already setup with ssl. We are also using crypt for storing passwords. Here are the steps I have done on the Linux server.
yum install -y openldap openldap-clients nss-pam-ldapd pam_ldap
Edited the line FORCELEGACY=no to yes in /etc/sysconfig/authconfig
Copied the CA certs to /etc/openldap/cacerts
Ran: authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
Changed pam_password md5 to crypt in /etc/pam_ldap.conf
Restarted /etc/init.d/nslcd and also tried rebooting.
I'm seeing the following errors in messages:
May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] ldap_start_tls_s() failed: Connect error (uri="ldap://zldap1.<domain>/")
May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] failed to bind to LDAP server ldap://zldap1.<domain>/: Connect error
May 21 08:50:01 ryolinux nslcd[1261]: [c79ea8] no available LDAP server found
Here is what my /etc/openldap/ldap.conf file looks like:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
URI ldap://zldap1.<domain>/
BASE o=<domain>,o=isp
Any help would be appreciated.
Thanks

Copy cacerts to /etc/openldap/cacerts
yum install -y openldap ldap-clients nss-pam-ldapd pam_ldap authconfig sssd
authconfig enablesssd enablesssdauth enablelocauthorize update
authconfig updateall enableldap enableldapauth ldapserver=zldap1.<domain> ldapbasedn="o=<domain>,o=isp" enableldaptls --enableldapstarttls
Add line to /etc/sssd/sssd.conf "ldap_tls_reqcert = allow"
Change /etc/pam_ldap.conf line:
pam_password md5 --> pam_password crypt
service sssd restart

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

hello all,
this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

there was a problem with the certificate db which was causing this.

Solaris 8 client setup with solaris 9 ldap

I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
# ldapclient -v -P default x.x.x.x
but i keep getting the following errors:
findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
Stewart

hi Stewart,
You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
Hope this will help you.
Cheers / Damien.

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

Regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections (any ideas???)

regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you

Hi Jason
I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
Just a thought, obviously try at your own risk but it worked for me.
Kellen

Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0? I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

Hi,
While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

Solaris 10 client - ldap_search: Can't connect to LDAP server

Hello
I have following configuration:
- openLDAP server in Solaris 10 zone called ldap
- native LDAP client in different Solaris 10 zone called mail on the same SPARC machine
I can't get ldapsearch results after ldapclient initialization.
[root@mail ~]# ldapsearch -b dc=pov,dc=pl objectclass=*
ldap_search: Can't connect to the LDAP server - Connection refused
But I am able to get data from LDAP server if address of the server is specified:
[root@mail ~]# ldapsearch -b dc=pov,dc=pl -h 192.168.1.40 objectclass=*
version: 1
dn: ou=users,dc=pov,dc=pl
objectClass: organizationalUnit
ou: Users
Here is ldapclient config:
[root@mail ~]# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.1.40
NS_LDAP_SEARCH_BASEDN= dc=pov,dc=pl
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
What am I missing?

Hi, I'm no exprert but I will try to help you. Are you still working on this?
This what my stuff looks like:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 10.0.1.21:389
NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
[root@light migration]# cat user00.ldif
dn: uid=user00,ou=People,dc=deathnote,dc=net
uid: user00
cn: user00
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 805
gidNumber: 501
homeDirectory: /home/user00
gecos: ldap user
Also update you hosts file and add your server to the domain.
I hope this helps.
Edited by: CyberNinja on Oct 22, 2011 12:37 PM

Solaris 10 LDAP Client: libsldap: Status: 4

Hi everybody.
I changed the configuration in Solaris 10 to restrict the LDAP users who can login to the system.
What I have done is changed the value:
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=people,dc=sis,dc=personal,dc=net,dc=py?sub?host=<hostname>
Where <hostname> is the respective hostname.
After that, everything works as I expect, but I get a lot of these messages:
sshd[28495] libsldap: Status: 4 Mesg: Service search descriptor for service 'passwd' contains filter, which can not be used for service 'user_attr'.
Should I ignore the messages? This is the nsswitch.conf file:
/etc/nsswitch.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)nsswitch.files 1.14 06/05/03 SMI"
# /etc/nsswitch.files:
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files ldap
group: files ldap
hosts: cluster files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: cluster files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
user_attr: files
I added user_attr to nsswitch.conf pointing to files only, refreshed ssh, but the message still appears.
Any suggestions?

What would I do without google?
http://prefetch.net/blog/index.php/2005/01/
I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:
Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service �passwd� contains filter, which can not be used for service �user_attr�.
We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)
Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

Solaris 10 LDAP Clients Intermittently Fail

Similar Messages

Maybe you are looking for