Solaris 8/LDAP (iDS 5.1) authentication

Hi, i'm currently trying to get solaris 8 authenticate against a solaris 9 ldap server. I have run idsconfig which completed fine, i've setup up the solaris 8 client, which seems to be fine. listusers on the client shows the LDAP users, i can su to an LDAP user from root. But when i try to login via the cde login screen it says it's incorrect. I've run a sniffer on the network and the client seems to be authenticating, but it fails when looking for the following info: SolarisProjectName;SolarisProjectId;desc;memberUid;membergid;SolarisProjectAttr; It then does another search with filter gid number 2001 for : cn; gidnumber;userpassword;memberuid.
Help please : )
Cheers, Ian

Looks like your /etc/pam.conf is not configured for a ldap authentication using dtlogin
You should have something like below for dtlogin to work.
dtlogin auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
dtlogin auth required /usr/lib/security/$ISA/pam_ldap.so.1

Similar Messages

Solaris 9 LDAP client sun_ssh public key authentication

I have directory server 6.0 up on solaris 9 system and I have a couple of solaris 9 system migrated to LDAP client. I need to configure ssh public key authentication on two Solaris 9 LDAP clients. However, I seem can't make it working. I have done 1) generate rsa public/private key pairs on one host 2) cat public key to the authorized_keys file on another host. I checked the permission on $HOME and $HOME/.ssh, they both set to 700. The file permission are also correct. But I still get prompt when ssh from one LDAP client to another. If I add my password/shadow entry back to local files, then public key authentication works. My /etc/pam.conf is set up according to the Sun documentation for LDAP client. In /etc/nsswitch.conf
passwd: compat
passwd_compat: ldap
shadow: files ldap
group: files ldap
netgroup: ldap
loginShell does exist for the user.and LDAP entry has objectClasses 'posixAccount' and 'shadowAccount'
I have latest patch 112960 installed on all of LDAP clients.
What am I missing here?
Thanks,
--xinhuan

One more thing - I have latest patch 112960 installed on all of LDAP clients.
--xinhuan

IDS 6.0 Authentication LDAP problem

Hi all,
I would like to test the ids6 bundled sample "remote client login". I have installed the temp cert. and activate the SSL on the web-instance. Then, i modify the AMConfig.properties: "com.iplanet.am.server.protocol" to "https". Then, i restart the IDS. After that, run the application. However, on testing ids server with authentication services SSL
enabled (i.e. https://<ids server>/<deployment url>/), I got following
unknown protocol error if only changing http to https in
AMConfig.properties:
----------------- cut here ----------------
orgname is : dc=com,dc=cn
javax.security.auth.login.LoginException: Failed to create New
AuthContextError while processing XML requestunknown protocol: https
at
com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:145)
at LDAPLogin.main(LDAPLogin.java:57)
Login failed!!

Thanks,
The problem was fixed after i change the jdk to 1.4 and
specially set the classpath to
/opt/iplanet/ids6/SUNWam/lib:/opt/iplanet/ids6/SUNWam/lib/am_services.jar:/opt/anyiu/iplanet/ids6/SUNWam/lib/am_sdk.jar -d /opt/iplanet/ids6/class

Solaris 8 | LDAP Server | ERROR MESSAGES

Hi All,
We are using Solaris 8 LDAP server for authentication.
When I look into the /var/log/messages file, I am getting the following error messages.
Jan 31 17:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 18:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 19:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 20:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 21:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 22:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Jan 31 23:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 00:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 01:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 02:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 03:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 04:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 05:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 06:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 07:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 08:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Feb 1 09:33:09 sol8LDAP ldap_cachemgr[5879]: [ID 722288 daemon.error] Error: Unable to refresh from profile:. (error=2)
Can you please tell me why we are getting these error messages, and how fix this issue.
Thanks in Advance...
Mack

There's a possibility that the cache is corrupted. Try clearing the cache and reload.
Cheers,
Erick Ramirez
Melbourne, Australia

Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

Hi,
Sorry, I could not understand what your are trying to do with iWS.
Could you please berifly explain your question. So that I can help you.
Regards,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support.

Solaris 7 ldap client

Hello,
Does anyone have advise for a solaris 7 ldap client? Is openldap/nss_ldap pretty much the standard? After comile & installation, editing /etc/nsswitch.conf & ldap.conf, what else needs to be done?
thanks

It is advisable to upgrade to Solaris8 + lastest Kernel and LDAPv2 patches, uninstall OpenLDAP Client Libraries and just use the SUN supported Solaris Native LDAP Client Libraries.
Assuming "idsconfig" has been run at the DS5.2 server end, to create the profiles and agent data, after that "ldapclient" should be run also at all ldap clients, it will setup /etc/nsswitch.conf, however you may need to adjust the "hosts: files ldap" to "hosts: files dns".
If you intend to use pam_ldap, lookup docs.sun.com for a recommended /etc/pam.conf
You may follow http://web.singnet.com.sg/~garyttt/
Gary

Patch for native LDAP and non-password authentication

Hi
I was just wondering whether there was a patch for Solaris 10 for the following bug:
4909247: Solaris 8 Client has broken .rhosts authentication with patch 108993-21
(Contrary to the bug description it affects all versions of Solaris)
There are patches for Solaris 8 (118993) and Solaris 9 (112960) that fix this issue but I can't find one for Solaris 10.
Regards
Tom

The issue is fixed in 10.0 MP1 with this patch CR347434
-Faisal
http://www.weblogic-wonders.com

Solaris 10 Ldap Client user authentication against edirectory

Hello,
We have moved some of our oracle databases from linux to solaris 10 u7, I need to setup secure ldap authentication for the users against a linux based eDirectory server. Can some one point me in the right direction of good documentation or a good explaination on what i need and how to go about this.
I have spent the last couple of days reading about pam, nsswitch.ldap nsswitch.conf and certificates now I need to pull all this information into a usable format.
Thanks
ukgreenman

I have a similar question.
Did you have a solution ?
thanks

Solaris 8 client setup with solaris 9 ldap

I have managed to install iplanet directory server 5.1 that comes with solaris 9 using the utility idsconfig. As far as i can tell, all went well. Now i'm trying to initialize a solaris 8 client to authenticate to the iDS 5.1 on my solaris 9 box. What do i have to do on the solaris 8 client to "initialize it"? I've tried using ldapclient on the solaris 8 client as follows:
# ldapclient -v -P default x.x.x.x
but i keep getting the following errors:
findDN rename(/var/ldap/ldap_client_file.orig, /var/ldap/ldap_client_file) failed!
findDN rename(/var/ldap/ldap_client_cred.orig, /var/ldap/ldap_client_cred) failed!
There are no files in /var/ldap. I thought that one uses ldapclient to create them. Am i wrong?
Also, the output from idsconfig says that a 'NisDomainObject' was added to my domain but looking at the object classes in iDS5.1, there is no nisdomainobject.
I also noticed that when i run the command domain on my solaris 8 box, there's no output. Do i need to set the domain on my solaris 8 client? I have the domain defined in /etc/resolv.conf.
Stewart

hi Stewart,
You may find what you are looking for in the following technical note: http://knowledgebase.iplanet.com/ikb/kb/articles/7966.html
It is called: "Cookbook for Solaris 8 client with Directory Server 5.1/Solaris 9" :-)
Hope this will help you.
Cheers / Damien.

Has anyone set up a Solaris 7 LDAP client to use with iPlanet DS 5.0? I have only found docs for compiling OpenLDAP and have had NO LUCK with it. I can't get an LDAP client to run.

I am trying Not to have 3 separate versions of LDAP in my environment (iDS5,Native Solaris LDAP,OpenLDAP). Can anyone point me to some DETAILED instructions to get an LDAP client (not server) running on Solaris 7?

Hi,
While U try to upgrade solaris it first tries to check the installed softtware & application and patch's specific to the exsisting version b'coz these patch are specific to version in most cases.Since in Ur case the authentication is done in ldap it would become bit of a mess if U upgrade.

Solaris 10 LDAP Client to 389 DS(Linux)

Hey guys,
I had this working in Solaris 11 but I have to port back to Solaris 10 to run SunOS 4 binaries. Here goes, I can su over to the accounts in the LDAP, it resolves names and groups to files. DNS and NTP are functioning. I cannot log -in via ssh or su <username>. I can log in or su with both methods with local accounts(non-LDAP).
When I - su Username the system responds prompting for password then returns su: Uknown id: Username
When I ssh [email protected] it prompts me three times for a password which it never accepts as valid.
Here is my pam.conf file -
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other   auth required           pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required           pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other   account sufficient      pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
Any ideas? So close but missing something as when I go to log in via ssh it prompts me for password 3 times then tosses me. Yes password and account are OK. If I ssh from a Linux server authenticating to the LDAP it works just fine. Any help is appreciated.
Thanks,
Ted

CN,
I have not modified the schema yet. I have updated pam.conf and while evaluating /var/adm/messages on the Solaris Client I only get output when I enter a known bad password, if I enter the correct password there is nothing in that log. Log in and su results remain the same. the slapd log does show the attempts and does not appear to show any errors that I can tell. I'll keep working it, here is the pam.conf I switched too after further evaluation -
# more /etc/pam.conf
#ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
I did create a .ldif file for a profile. Output seems similar to what I entered in the manual ldapclient command. Reading up more on that now and the schema updates you recommended. I wanted to make sure I sent you the updated pam.conf though as this seems to match those found online in style for pre-Solaris 11. The first copy was what I transferred from a working Solaris 11 server I had running here.
Thanks,
Ted

Solaris 10 LDAP Clients Intermittently Fail

I'm working on a rather puzzling issue with some of our Solaris 10 systems authenticating against DSEE 6.3. These clients previously worked without issue but starting last week SSH connections would hang for a few minutes and then start working again. This never happened on more than one system at a time.
I found the following messages in /var/adm/messages during the time we have these problems:
Apr 27 08:04:57 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:05:47 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
... many of these
Apr 27 08:10:07 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:17 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (85): Timed out.
Apr 27 08:10:31 hostname nscd[20634]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: LDAP ERROR (81): Can't contact LDAP server.
To test connectivity to the LDAP server I have a ldapsearch running every 15 seconds an logging the time it took and checking for correct results. during the time that I see the libsldap messages and ssh connections are hanging, the ldapsearch command continues to run fine without slowing down.
A final note is that all three of the problem systems are on the same subnet and systems outside of this subnet aren't having any problems with the same configuration. My first thought was the firewall but ldapsearch continues to work.
Does anyone know if nscd tries to keep the LDAP connection open. Looking at the logged messages it appears as though it gives up after 5 minutes or so, throws the LDAP ERROR (81) and then starts to work again.
Any ideas would be appreciated. This one is making me crazy (crazier).
Thanks.

rukbat wrote:
Has anything changed in that time frame?
Any physical changes such as office-moves? new hires? lay-offs?
Could there have been any modifications to the networking hardware such as lengthening the cabling? Is it possible to re-route the subnet to different switches or to different posts on the switches? You might consider snooping the traffic to watch how it traverses the paths to the LDAP server.
If there are other systems on the subnet, do they experience any sort of timeouts ( even if it is to unrelated tasks such as database access or surfing to the Intranet/Internet ) ?
... just random thoughts from a hardware perspective.Given that this started after a maintenance night I'm sure you are correct and something changed. However there are no changes in the maintenance plan that could cause this and nobody will own up to any additional changes. This leaves it to me to try to find what is causing the failure so I can get it corrected.
These are the only three Unix systems on that subnet and they are all experiencing the problem so I don't have anything that is working to compare them to except for the other systems that aren't on that subnet. The other systems are working fine with the same configuration. That's why I'm thinking that it is something external to the problem systems.
Given that all other services on these systems are working, I'm not currently exploring a hardware type failure.
I've been running pfiles on nscd and it appears that it is indeed holding a connection to the LDAP server open (if I'm reading it correctly). The inode assocated with #8 hasn't changed. So my current theory is that maybe the firewall is killing off long connections after a while. This appears to be consistent with the log entries where I get many ERROR (85) and then a final (81). I'm thinking that after the ERROR 81, it re-opens the connection. Just guesses though.
8: S_IFSOCK mode:0666 dev:329,0 ino:3753 uid:0 gid:0 size:0
O_RDWR|O_NONBLOCK
SOCK_STREAM
SO_SNDBUF(49152),SO_RCVBUF(49680),IP_NEXTHOP(0.0.194.16)
sockname: AF_INET6 ::ffff:10.1.50.50 port: 42758
peername: AF_INET6 ::ffff:10.1.52.25 port: *636*

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

LDAP Error Code in authentication?

Hi,
I'm working with Weblogic app server 7.0. I have configured LDAP authentication
provider with iplanet. And I'm using FORM authentication. How can I know which
code error is returned if authentication fails? I want to discriminate between
wrong password, or expired password. How can I do it?
Thanks

"Helen" <[email protected]> wrote in message
news:[email protected]..
>
Hi,
I'm working with Weblogic app server 7.0. I have configured LDAPauthentication
provider with iplanet. And I'm using FORM authentication. How can I knowwhich
code error is returned if authentication fails? I want to discriminatebetween
wrong password, or expired password. How can I do it?
The ldap exceptions are trapped and failed login exceptions are thrown. I
will enter a
CR to make sure the ldap exception is nested or more granular exceptions are
thrown.

3 doubts about solaris 10 ldap native client

i have a client solaris 10 autenticating with a ldap directory (S1 DS 5.2) and
the comunication between them is "working" ok.
but the login is denied because the user haven't a home directoy, so lookin documents
i keep this this doubts:
1) in all documents that i can see, users home directory are mounted, but if i dont
want mount de homes because i "want" to do like linux, �how i can config this? (i
looking in smc but when i set a option to keep mounted he launch a exception)?
�why i musn't to do this?
3) if i can't do (1) or its not recomended, i must to resolve mounting home
directory from localhost using automount schema (expended with automountKey), but
�these requiered that exist a home directory for the users?
3) if the user login for firts time, he dont have a home directory, so somebody must
create this home for this user, �who must have the responsabilities of them?
�when i must start see to resolve?
Salu2

Hi Lister
Please provide more information on what you're trying to achieve. By the way, I'm in Perth and I've done some JES work out there at Curtin before - let me know if you'd like to get in touch! I'm available at tom.shaw [at] solidsystems.com.au
In general, I see several inconsistencies here.
1. I can't tell whether you're trying to use SSL or not. You have an ldapsearch using SSL and you have a certificate database but your ldap_client_file is using "simple" not "tls:simple". (You should try and get it working without SSL first though.)
2. The objectclassmap entries look like they aren't needed.
3. You haven't listed nsswitch.conf - are you using local files for passwd, group and shadow entries, or are you using LDAP?
4. I'm not sure about the BindDN you have. I believe it needs to be the full DN, not just the RDN, and it needs to have the right ACI permissions.
Useful information would be: the output of a command like "ldaplist passwd" (obviously with sensitive information censored), and the relevant lines of the LDAP access log. But again, I'm in Perth so let me know if you'd like arrange some more direct assistance.
Regards
Tom

Solaris 8/LDAP (iDS 5.1) authentication

Similar Messages

Maybe you are looking for