Solaris 8 client setup with solaris 9 ldap

I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
# ldapclient -v -P default x.x.x.x
but i keep getting the following errors:
findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
Stewart

hi Stewart,
You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
Hope this will help you.
Cheers / Damien.

Similar Messages

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

Client installation with Solaris 11 AI technology

Hi,
Just needed one clarification relevant the way clients get installed with the AI concept for Sol11.
I have setup an AI server have a common manifest file, system config file for my client systems.
While installing the client, I just specify the env variable AI_HOSTNAME and AI_IPV4 to the relevant client, and the installation happens successfully for the client.
The clarification that I needed was, can't I export AI_HOSTNAME and AI_IPV4 to multiple client systems in one go and create multiple separate profiles for the client and carry out client provisioning. As when I tried testing this, somehow I see that the last address is taken and the client installation received the same public IP for the machine and hence cribbed for duplicate IP found.
Should the installation happen one by one only?
Any help here is truly appreciated!
Regards

Also, AI_IPV4 could be replaced by the value assigned by DHCP when the AI client was booted, or perhaps from OBP variable network-boot-arguments for SPARC. As DHCP can assign the same IP address for different systems at different times, this could result in duplicate IP addresses.
You may want to look at Using SC Profile Templates - {{AI_HOSTNAME}} variable not being used

Ical client setup with 10.6 server

I have iCal server up and running on my 10.6 server and everything seems to be working right. however I have set the server side up to use ssl and have opened those ports on my firewall which works. My problem is that after setting up a user I send out the welcome email and that has the configure my mac link. Which was done before I change the iCal server settings to use ssl. And now every time I go in and manually set the server settings to use ssl on the client side and quit and reopen ical another account is added without the ssl settings. How do i get it to stop automatically adding an account to iCal?

This looks like a bug in the iCal client. I, too, have had problems with delegated calendars and end users mistaking events for being missing, not updated or incorrect only because their local copy was not synced with the true copy on the server. The refresh rate on delegated calendars can be changed with the "Refresh calendars: [ Every 1 minute ]" preference. You can verify this by right-clicking or control-clicking on the delegated calendar and choosing "Show CalDAV Queue." This brings up a queue of activity with the iCal Server. You'll note at the top that it mentions "Refresh every 1 minute."
The problem, of course, is if you quit iCal and recheck the "Show CalDAV Queue" on the delegated calendar, the refresh interval has reverted to some long interval like 300 or 900 minutes. This is a bug, for sure. For now, you can tell your clients not to quit iCal or to refresh manually or reset the refresh interval whenever they restart iCal/their computer, etc.

[SOLVED] MS-CHAP[v2] auth, Microsoft VPN client setup with pptpclient

Hi,
Have just started with Archlinux and trying to set up a VPN tunnel using pptp.
I have been following the guide at:
https://wiki.archlinux.org/index.php/Mi … pptpclient
I want to connect to a service from www.ipredator.se
Info from them when connection to Windows XP are:
Enter company name "Ipredator". Click Next.
Enter "vpn.ipredator.se" as "Host name or IP address".
I have been given a <USERNAME> and <PASSWORD> from them.
I got the VPN tunnel up and running in Ubuntu with the settings.
Only enabled MSCHAPv2
use MPPE 128 bit
and allow data compression, BSD, Deflate and TCP header.
My configuration files:
options.pptp
# $Id: options.pptp,v 1.3 2006/03/26 23:11:05 quozl Exp $
# Sample PPTP PPP options file /etc/ppp/options.pptp
# Options used by PPP when a connection is made by a PPTP client.
# This file can be referred to by an /etc/ppp/peers file for the tunnel.
# Changes are effective on the next connection. See "man pppd".
# You are expected to change this file to suit your system. As
# packaged, it requires PPP 2.4.2 or later from [url]http://ppp.samba.org[/url]/
# and the kernel MPPE module available from the CVS repository also on
# [url]http://ppp.samba.org[/url]/, which is packaged for DKMS as kernel_ppp_mppe.
# Lock the port
lock
# Authentication
# We don't need the tunnel server to authenticate itself
noauth
# We won't do PAP, EAP, CHAP, or MSCHAP, but we will accept MSCHAP-V2
# (you may need to remove these refusals if the server is not using MPPE)
refuse-pap
refuse-eap
refuse-chap
refuse-mschap
# Compression
# Turn off compression protocols we know won't be used
nobsdcomp
nodeflate
# Encryption
# (There have been multiple versions of PPP with encryption support,
# choose with of the following sections you will use. Note that MPPE
# requires the use of MSCHAP-V2 during authentication)
# [url]http://ppp.samba.org[/url]/ the PPP project version of PPP by Paul Mackarras
# ppp-2.4.2 or later with MPPE only, kernel module ppp_mppe.o
# Require MPPE 128-bit encryption
# require-mppe-128
# [url]http://polbox.com/h/hs001/[/url] fork from PPP project by Jan Dubiec
# ppp-2.4.2 or later with MPPE and MPPC, kernel module ppp_mppe_mppc.o
# Require MPPE 128-bit encryption
# mppe required,stateless
chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> pptpd <PASSWORD> *
I named my tunnel "ipredator"
/etc/ppp/peers/ipredator
pty "pptp vpn.ipredator.se --nolaunchpppd"
name <USERNAME>
remotename Ipredator
require-mppe-128
file /etc/ppp/options.pptp
ipparam ipredator
When I try to connect I get following:
[root@archlinux ppp]# pon $TUNNEL ipredator dump logfd 2 nodetach
pppd options in effect:
nodetach # (from command line)
logfd 2 # (from command line)
dump # (from command line)
noauth # (from /etc/ppp/options.pptp)
refuse-pap # (from /etc/ppp/options.pptp)
refuse-chap # (from /etc/ppp/options.pptp)
refuse-mschap # (from /etc/ppp/options.pptp)
refuse-eap # (from /etc/ppp/options.pptp)
name <USERNAME> # (from /etc/ppp/peers/ipredator)
remotename Ipredator # (from /etc/ppp/peers/ipredator)
# (from /etc/ppp/options.pptp)
pty pptp vpn.ipredator.se --nolaunchpppd # (from /etc/ppp/peers/ipredator)
crtscts # (from /etc/ppp/options)
# (from /etc/ppp/options)
asyncmap 0 # (from /etc/ppp/options)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/options)
ipparam ipredator # (from /etc/ppp/peers/ipredator)
proxyarp # (from /etc/ppp/options)
nobsdcomp # (from /etc/ppp/options.pptp)
nodeflate # (from /etc/ppp/options.pptp)
require-mppe-128 # (from /etc/ppp/peers/ipredator)
noipx # (from /etc/ppp/options)
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
MPPE required, but MS-CHAP[v2] auth not performed.
Connection terminated.
[root@archlinux ppp]#
I have not managed to understand way MS-CHAP[v2] auth is not performed.
Any ideas on what I have missed during my configuration would be most appreciated!
use code tags instead of quote since they provide scrollers and keep the thread from becoming a mile long -- Inxsible
Thank you!
Regards,
/Christer
Last edited by agkbill (2011-06-14 15:23:15)

The problem was that <PASSWORD> was never found.
What is written after "remotename" in peers file in the guide "PPTP" is used to find the password in chap-secreds.
But in the guide chap-secrets look like "<USERNAME> pptpd <PASSWORD> *".
Consecuently <PASSWORD> will never be found. It should have been "<USERNAME> PPTP <PASSWORD> *" then it would have worked OK.
The solution was to understand how password was found.
require-mppe-128 works fine as well.
Now it looks like this.
# Secrets for authentication using CHAP
# client server secret IP addresses
<USERNAME> PPTP <PASSWORD> *
pty "pptp vpn.ipredator.se --nolaunchpppd"
lock
noauth
nobsdcomp
nodeflate
name <USERNAME>
remotename PPTP
require-mppe-128
#file /etc/ppp/options.pptp
ipparam ipredator
Output:
[root@archlinux ppp]# pon ipredator debug logfd 2 nodetach
using channel 14
Using interface ppp0
Connect: ppp0 <--> /dev/pts/1
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
sent [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xc615076a> <pcomp> <accomp>]
rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x7540313b> <pcomp> <accomp>]
sent [LCP EchoReq id=0x0 magic=0x7540313b]
rcvd [LCP EchoReq id=0x0 magic=0xc615076a]
sent [LCP EchoRep id=0x0 magic=0x7540313b]
rcvd [CHAP Challenge id=0x46 <be769cd654150cc3dc0fd20bc73c03>, name = "pptpd"]
sent [CHAP Response id=0x46 <6ce74a85ab09e4ae223bc85f679395f0000000000000000dbb8dc66e8950ab46831b62f5815e015b1e72de1e01a4d00>, name = "<USERNAME>"]
rcvd [LCP EchoRep id=0x0 magic=0xc616076a]
rcvd [CHAP Success id=0x46 "S=2694D1D727F2B8C8E402125EA401750011F24F20"]
CHAP authentication succeeded
sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
MPPE 128-bit stateless compression enabled
sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
sent [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfNak id=0x1 <addr 93.182.150.56>]
sent [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
rcvd [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr x.x.x.x>]
Cannot determine ethernet address for proxy ARP
local IP address
remote IP address x.x.x.x
Script /etc/ppp/ip-up started (pid 1778)
Script /etc/ppp/ip-up finished (pid 1778), status = 0x0
All the best!
/Christer

New SAP R/3 Client setup with SRM

Hi Guys,
Can anyone guide me if I am deleting my SAP R/3 backend client and setting up a new client then do I need to delete all the current material groups and do an Initial upload by setting up the middleware settings in new R/3 client.
Also is it necessary to delete the settings of Old middleware settings?
Please clarify me.
Thanks !!!!
Regards,
Srujank

Hi Nagarjun,
If you look at the exporting and importing paramters of your Method EXECUTE_SYNC...
You would find the abap equivalent of your Message Type. Hence you know all the fields.
No it depends on the business Logic, or ratheer what the RFC is suppose to be requested for is filled in an an Input paramter to the Method.
This can be an IDOC To, in that case your MT should be similar. Fill in the transmiaaion IDOC values.
OR you can Actually harcode the values, make your Itab, and send it across ( as this is just for test purposes )
Hope this helps.
Regards
Abhishek

Solaris Cluster 4 with Solaris 11/11/11 -- LDOM farm

Hi,
In the 2011 Openworld, I had the opportunity to meet some of the Oracle cluster experts. In conversations, I found that when configuring LDOMs within a clustered environments, we could pass a complete "/dev/did/*dsk/d<num>" device directly to the guest domain.
Are there any notes/whitepapers that someone within Oracle could direct me to that elaborates this a little more? I can reach out via our regular pre-sales channels, but I'm posting here since I know the Cluster gurus frequent this watering hole :)

Hi Hartmut,
I chose to use the DID namespace because of it's simplicity. I can reference a /dev/did/rdsk/d<> and be consistent across the cluster. Also, since I'm using HA to cluster the LDOMs, I don't have to worry about bringing up resources on the Control domain (since all the FC storage I use is for guest domains). The control domains themselves (which are also the IO domains) have the internal drives of the T4-4 that contain the rpool etc.
My vds devices look like this --
<pre>
VDS
NAME VOLUME OPTIONS MPGROUP DEVICE
primary_vds0 sol11 /local/sol-11-1111-text-sparc.iso
sol10u10 ro /local/sol-10-u10-ga2-sparc-dvd.iso
primary_shared_vds1 d9 /dev/did/dsk/d9s2
d11 /dev/did/dsk/d11s2
d12 /dev/did/dsk/d12s2
d25 /dev/did/dsk/d25s2
d27 /dev/did/dsk/d27s2
d28 /dev/did/dsk/d28s2
d29 /dev/did/dsk/d29s2
d30 /dev/did/dsk/d30s2
d31 /dev/did/dsk/d31s2
d32 /dev/did/dsk/d32s2
d33 /dev/did/dsk/d33s2
d34 /dev/did/dsk/d34s2
d35 /dev/did/dsk/d35s2
d36 /dev/did/dsk/d36s2
d37 /dev/did/dsk/d37s2
</pre>
Edited by: implicate_order on May 11, 2012 2:11 PM
Also, I have a script that extracts the EMC array ID, scsi id, ctd name and size etc from the DID framework.
Edited by: implicate_order on May 11, 2012 2:11 PM

Solaris 7 ldap client setup

Hi,
Please any one can help me in setting ldap client for solaris 7 guidelines or any website or docs help.
Thanking you,
Naren

hi mukherjee,
you can configure both solaris 8 and 9 as ldapclient to sunone 5.2 installed on solaris 9 box. make sure i think you cannot configure client on same maching on which directory server is installed.
No my question is how to setup ldapclient on solaris 6 andsolaris 7. as both does not support ldap. like solaris 7 has no nsswitch.ldap. can you provide me details to configure solaris7 as ldap client
PATEL

Linux and Solaris Clients with password policy using LDAP

Anybody managed to get Linux (RHEL) and Solaris 9 Client authenticate against Sun Directory Server 5.2p4 using the same password policy?
For me it looks like Linux needs attribute shadowlastchanged set to display proper Warnings, that the password will expire/needs to be changed now. On the other hand Solaris (using pam_ldap) never writes this attribute, because it's using the password policy attribute pwdchangedtime.
Hints very wellcome!
Can anybody confirm Solaris9 pam_unix still sets this shadow* attributes correct on any password change executed by a user?

Hi Jeremy,
here the answers to your questions:
>My question is which system takes precedence over the password policy?
Unfortunately there is no policy verification between the portal and your Sun One LDAP. So if you reset the password from the portal then only the portal password policies can be checked.
> If I wanted to do password resets from the Portal, does the portal then store only the password in its database?
No, the password will be stored in the LDAP, but only if it also corresponds with the LDAP policies. If not, then you will get an error, but you will not see the real LDAP exception.
> Also what would then happen if you tried to reset the password from the LDAP?
The password in the LDAP does not have to fit to the Portal password policies. When you log in, the portal will only check if the password you tipped in is the new one in LDAP and will not check any policies.
Hope this brings some light in,
Robert

Sun LDAP with Solaris

Hi All,
i have very simple and short query, Is Sun Directory comes bundled with Solaris 10 ? or we need to download explicitely.
If we download that is a free version or we need to procure.
Thanks
Avninder

Hi Avninder,
No it does not come with Solaris 10, nor Solaris 10 current license gives you entitlement with support for it.
Please go and download from www.sun.com/dsee
Etienne

Sun DS 5.2 p3 with Solaris 10

I've been trying to test out using LDAP to replace NIS.
My setup is a Sun Sparc box with Solaris 10 running
Sun One Directory 5.2 patch level 3. I have two x86_64 client
machines; one running Red Hat 4 and the other Solaris 10.
I have been able to authenticate on the RH 4 machine
with no problems, but have been unable to on the
Solaris 10 machine. I'm using Sun's native LDAP
client tools.
I've tried configuring the DS for anonymous access
to proxy access with simple authentication, but neither
one seems to matter.
I've copied over the pam.conf example provided by Sun
today, but it still doesn't seem to work. I can do a
"getent passwd" on the RH 4 and get all the local accounts
and the test one in the LDAP server. If I try that on the
Sun box I only get the local accounts, however if I
do a "getent password testuser" on the Solaris 10 box,
then I get the right account info. It looks like I can even
see the passwords, which are stored using md5; not
crypt, if that matters.
I'm tried searching for more info, but it doesn't appear
that DS 5.2 has been used too much on Solaris 10;
nor does Gary Tay's great documentation cover
Solaris 10. Is there something obvious I'm missing?
I can't believe it would be this hard to set LDAP up
with just Sun software.

See related posts:
http://www.sunmanagers.org/pipermail/summaries/2005-August/006688.html
1) make sure /etc/nsswitch.conf has this entry in it:
ipnodes: files
2) must run these commands as root:
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
Other than that I didn't need to do anything different than solaris 9.
I did have to run this command on occasion though:
svcadm enable svc:/network/ldap/client:defaulthttp://forum.sun.com/thread.jspa?forumID=271&threadID=25523
Gary

Solaris Clients

I am trying to integrate Solaris clients to our Open Directory LDAP server..
Im am following this:
http://74.125.39.104/search?q=cache:ILu9oe8Veg0J:www.jerkys.org/wiki/pages/viewp age.action%3FpageId%3D2031736%22solaris+10%22+%22opendirectory%22&hl=de&ct=clnk&cd=12
and that:
http://discussions.apple.com/thread.jspa?threadID=382600
articles, but dow not have any success with Solaris 10 and MacOSX 10.5.
I get the following error:
Starting network services
start: /usr/bin/domainname borg.loopback.org... success
start: sleep 17700000 microseconds
start: network/ldap/client:default... timed out
start: network/ldap/client:default... offline to disable
stop: sleep 100000 microseconds
when calling:
[root@zion ># ldapclient manual -v -a domainName=borg.loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=borg.loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=borg.loopback,dc=org -a authenticationMethod=none -a credentialLevel=proxy -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 -a proxyDN=uid=root,cn=users,dc=borg,dc=loopback,dc=org -a proxyPassword=XXX borg.loopback.org
Previously, I copied over /etc/krb5/krb5.conf from OD-server's /Library/Preferences/edu.mit.Kerberos von Borg
an created a keytab file which I copied to /etc/krb5/krb5.keytab.
Does anyone have I working receipe here ?
Best thanks,
-Jan

This one works:
# ldapclient manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a domainName=loopback.org -a serviceSearchDescriptor=passwd:cn=users,dc=loopback,dc=org -a serviceSearchDescriptor=group:cn=groups,dc=loopback,dc=org -a defaultSearchBase=dc=loopback,dc=org -a searchTimeLimit=60 ldap.loopback.org

Solaris 9 10 - pam.conf - LDAP - su - user login - DS 6.3.1

We are trying to configure our Solaris clients to use LDAP for authentication. We have modified the nsswitch.conf and pam.conf. The pam.conf looks like this:
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass debug
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_cred.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1 use_first_pass debug
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1 use_first_pass debug
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 use_first_pass debug
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1 debug
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth binding pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
passwd auth required pam_passwd_auth.so.1 debug server_policy
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1 debug
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1 server_policy
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
ppp session required pam_unix_session.so.1
other session required pam_unix_session.so.1
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password sufficient pam_authtok_store.so.1 server_policy debug
other password required pam_ldap.so.1 debug
The issue we are having is that the DS is configured to force a password change after an administrator reset. If we change the lines:
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
to
other account binding pam_ldap.so.1 debug
other account required pam_unix_account.so.1 server_policy
we get the prompt to change the password. But at that point a non-root user can not su to any other user.
Does anyone have any ideas? Also, we are trying to configure a Linux client to do the same thing, but can't get the system-auth file correct either.
Edited by: jason.hershcopf on Apr 2, 2009 6:32 PM

Hi Jason,
Wondering if you got an answer for this. I am having similiar issues with LDAP on Solaris 10.
Any feedback will be of great help.
Thanks!

Basic lp printing setup on Solaris 10

What changed with lp printing in Solaris 10 from previous versions? I used to use CUPS but can't anymore as Sun stopped uncluding it on the companion CD with later versions of Solaris 10 (U4+). Now I just want a simple print queue setup to a hp 4250 networked printer that will always print landscape,compressed print. We have Solaris 9 boxes with these queues setup without CUPS that work just fine but I guess the same lpadmin, lpfilter, etc. commands don't setup a print queue the same way on Solaris 10 as I can't print to the printer - only 2 sets of banner pages come out. I want to tie a shell script filter to the queue that prepends the esc codes to the print file to make it go landscape and compressed print but nothing prints out but banner pages. If I look at /var/lp/logs/requests most status codes are 0x0100.
I've tried following Sun Doc ID: 212177 as follows:
# vi myfilter.sh
#!/bin/ksh
#Print landscape
echo "^[&l1O"
cat -
# vi /etc/lp/fd/myfilter.fd
Input types: any
Output types: myfilter
Printer types: any
Printers: any
Filter type: fast
Command: /opt/local/bin/myfilter.sh
# lpfilter -f myfilter -F /etc/lp/fd/myfilter.fd
# lpadmin -p myque -o protocol=bsd,dest=<printer hostname> -v /dev/null -m netstandard -T unkown -I myfilter
# enable myque
# accept myque
# lp -dmyque <some_text_file>
result are 2 banner pages and contents of the file to be printerd and /var/lp//logs/requests is 0x0100.
someone please educate me if U can? (I'd take a Dinozo slap to the back of the head from Gibbs as necessaryl!)

Have you tried using the Solaris 10 GUI interface
Launch -> Preferences -> System Preferences -> Add/Remove Printer
Have a look at this thread below
http://www.opensolaris.org/jive/thread.jspa?messageID=354604&#354604
Or
Hi,
After upgrading to Solaris 10 5/08 the Solaris Printer Manager changed so that it offered the following options when adding New Attached Printer dialogue box
Printer Name :
Description :
Printer Port:
Printer Type:
File Contents:
Fault Notification:
Options:
Banner:
After applying patch 138628-06 the New Attached Printer dialogue box reverted to its previous correct configuration
Printer Name:
Description:
Printer Port:
Printer Make:
Printer Model:
Printer Driver:
Fault Notification:
Banner:
A friend is running Solaris 10 10/08 but despite applying 138628-06 it is not showing the extended Printer Manager functions of Make, Model and Driver. How can he enable the extended functionality.
TIA
=========================================================================================
Hi,
Problem resolved, a case of RTFM.
In order to avoid a ppd error in the command below you need to ensure the ppd-cache is working and this involves rebuilding the it
# ppdmgr -r
You should now be able to sucessfully add the ppd option as shown below.
It appears that the Make, Model and Driver options do not appear after a clean install of Solaris 10 10/08 in the Printer Manager. However, if you create a printer with a ppd interface and then delete it the options remain. example below.
# lpadmin -p hp1 -v /dev/lp1 -I postscript -m standard_foomatic -n /usr/lib/lp/model/ppd/system/foomatic//HP/HP-DeskJet_950C-hpijs.ppd.gz

Solaris 10 Zone for Solaris 11.1 creation with template fails.

Hi,
We are trying to use the Oracle VM Template for Oracle Solaris 10 Zone to create a solaris 10 zone on a solaris 11.1 GZ
root@exsolh0005:/opt/scripts# ./solaris-10u11-sparc -v
This is an Oracle VM Template for Oracle Solaris Zones.
Copyright Â© 2011, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license
agreement containing restrictions on use and disclosure and are
protected by intellectual property laws. Except as expressly
permitted in your license agreement or allowed by law, you may not
use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any
part, in any form, or by any means. Reverse engineering,
disassembly, or decompilation of this software, unless required by
law for interoperability, is prohibited.
Version: 1.0.9.12
root@exsolh0005:/opt/scripts# ./solaris-10u11-sparc -p /rpool -a 10.83.128.35/24 -i net6 -z testzone
This is an Oracle VM Template for Oracle Solaris Zones.
Copyright Â© 2011, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license
agreement containing restrictions on use and disclosure and are
protected by intellectual property laws. Except as expressly
permitted in your license agreement or allowed by law, you may not
use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any
part, in any form, or by any means. Reverse engineering,
disassembly, or decompilation of this software, unless required by
law for interoperability, is prohibited.
IMAGE: ./solaris-10u11-sparc
ZONE: testzone
ZONEPATH: /rpool/testzone
VNIC: vnicZBI83273795
IP ADDR: 10.83.128.35
NETMASK: 255.255.255.0
DEFROUTER: 10.83.128.1
TIMEZONE: Europe/Copenhagen
Checking disk-space for extraction
Ok
Extracting in /opt/scripts/bootimage.8Ham6r ...
100% [===============================>]
Checking data integrity
Ok
Checking platform compatibility
The host and the image do not have the same Solaris release:
host Solaris release: 5.11
image Solaris release: 5.10
Will create a Solaris 10 branded zone.
Checking disk-space for installation
Ok
Installing in /rpool/testzone ...
100% [===============================>]
Attaching testzone
Problem attaching testzone.
More details in /var/sadm/install/logs/solaris-10u11-sparc.log
Cleaning up and exiting.
Friday, May 10, 2013 03:18:01 PM CEST: cleaning up
root@exsolh0005:/opt/scripts#
root@exsolh0005:/opt/scripts# cat /var/log/zones/zoneadm.20130510T131756Z.testzone.attach
[Friday, May 10, 2013 03:17:56 PM CEST] ==== Starting: /usr/lib/brand/solaris10/attach testzone /rpool/testzone -c /opt/scripts/bootimage.8Ham6r/sysidcfg.testzone ====
[Friday, May 10, 2013 03:17:56 PM CEST] Progress being logged to /var/log/zones/zoneadm.20130510T131756Z.testzone.attach
[Friday, May 10, 2013 03:17:56 PM CEST] Pinning datasets under rpool/testzone
[Friday, May 10, 2013 03:17:56 PM CEST] Pinning rpool/testzone
[Friday, May 10, 2013 03:17:56 PM CEST] Pinning rpool/testzone/rpool
[Friday, May 10, 2013 03:17:56 PM CEST] Pinning rpool/testzone/rpool/ROOT
[Friday, May 10, 2013 03:17:56 PM CEST] Pinning rpool/testzone/rpool/ROOT/zbe
[Friday, May 10, 2013 03:17:56 PM CEST] Log File: /var/log/zones/zoneadm.20130510T131756Z.testzone.attach
[Friday, May 10, 2013 03:17:57 PM CEST] Converting detached zone boot environment 'zbe'.
[Friday, May 10, 2013 03:17:57 PM CEST] Unmounting /rpool/testzone/root
[Friday, May 10, 2013 03:18:00 PM CEST] setting ZFS property zoned=on on rpool/testzone/rpool
[Friday, May 10, 2013 03:18:00 PM CEST] setting ZFS property canmount=noauto on rpool/testzone/rpool/ROOT
[Friday, May 10, 2013 03:18:00 PM CEST] setting ZFS property mountpoint=legacy on rpool/testzone/rpool/ROOT
[Friday, May 10, 2013 03:18:01 PM CEST] Mounting boot environment in rpool/testzone/rpool/ROOT/zbe-0 at /rpool/testzone/root (including child datasets)
cannot open 'ERROR: Error: Command <zfs list -H -o name -t filesystem -r rpool/testzone/rpool/ROOT/zbe-0> exited with status 1': invalid dataset name
[Friday, May 10, 2013 03:18:01 PM CEST] ERROR: refresh of ERROR: Error: Command <zfs list -H -o name -t filesystem -r rpool/testzone/rpool/ROOT/zbe-0> exited with status 1 failed
[Friday, May 10, 2013 03:18:01 PM CEST] ERROR: Error: rpool/testzone/rpool/ROOT/zbe-0: No such dataset.
[Friday, May 10, 2013 03:18:01 PM CEST] Unpinning datasets under rpool/testzone
[Friday, May 10, 2013 03:18:01 PM CEST] Unpinning rpool/testzone
[Friday, May 10, 2013 03:18:01 PM CEST] Unpinning rpool/testzone/rpool
[Friday, May 10, 2013 03:18:01 PM CEST] Unpinning rpool/testzone/rpool/ROOT
[Friday, May 10, 2013 03:18:01 PM CEST] Unpinning rpool/testzone/rpool/ROOT/zbe
[Friday, May 10, 2013 03:18:01 PM CEST] Result: Attach Failed.
[Friday, May 10, 2013 03:18:01 PM CEST] Exiting with exit code 254
[Friday, May 10, 2013 03:18:01 PM CEST] ==== Completed: /usr/lib/brand/solaris10/attach testzone /rpool/testzone -c /opt/scripts/bootimage.8Ham6r/sysidcfg.testzone ====
Looks like a script bug..
Regards
Claus

Hello All,
I would love to know if someone has a solution to this as I am seeing a similar issue with a slightly different setup.
Solaris 8 and Netra 240. I get the same result with and without patches and finish scripts. After the jumpstart and the failed boot attempt from disk. I can boot from cd, copy the glm driver from the cd to disk, and then everything works as it should. Obviously this is not a solution but only a work around.
Is it something to do with the SCSI hardware architecture used in the *240s?
Edited by: Gareth_Mann on Oct 2, 2007 7:41 PM

Solaris 8 client setup with solaris 9 ldap

Similar Messages

Maybe you are looking for