Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DD
I have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary
Similar Messages
-
Issues with LDAP Server | Solaris 8
Hi All,
In my project we are using Solaris 8 as LDAP server for authentication. Some folders owner and group is assigned to LDAP user by default. I think it should be root and others.
Please find the below example:
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 .
*8 drwxr-xr-x 42 gip_admin set_investors_author 3584 Jan 24 00:01 ..
6 -rw-rw-r-- 1 gip_admin ampm_retail_english_author 2062 Jan 22 14:03 archive
2 drwxr-xr-x 2 root nobody 512 Aug 6 2003 cdrom
2 drwx--l--- 3 gip_admin set_investors_author 512 Dec 9 07:33 data
2 drwxr-x--- 2 root other 512 Nov 12 16:20 data1
Can you please help me to solve this issue.....
Thanks in Advance
ManjuHi,
Its is not mounted on NFS. It is local disk only.
Its is Solaris 8 server.
# ls -lan
drwxr-xr-x 18 0 0 1536 Dec 11 05:00 .
drwxr-xr-x 46 91550 94293 2560 Jan 11 10:37 ..
-rw-rw-rw- 1 0 1 524204 Aug 2 2006 110951-06.jar
drwxr-xr-x 2 0 1 512 Dec 11 05:01 Backup_files
-rw------- 1 0 1 17 Apr 22 2005 DBVERSION
drwxrwxr-x 2 101 2000 512 Oct 18 2004 DD
drwxr-xr-x 2 0 1 512 Sep 19 2006 J2SEPatch-13092006
#cat /etc/passwd
root:x:0:1:Super-User:/:/usr/bin/bash
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
basant:x:1001:10::/apps/basant:/bin/sh
tis:x:1003:1::/apps/tis/:/usr/bin/bash
ldap:x:1004:100::/home/ldap:/bin/sh
iwui:x:100001:60001:Interwoven TeamSite UI Daemons User:/apps/iw-home:/bin/sh
oracle:x:1002:101: Oracle user:/apps/oracle:/bin/sh
vadmin:x:100002:1::/apps/vadmin/:/bin/sh
sshd:x:100003:2003:sshd privsep:/var/empty:/bin/false
temp:x:111112:1::/home/temp:/bin/sh
verity:x:111113:1::/apps/verity/:/usr/bin/bash
test1:x:12312311:1::/home/test1:/bin/sh
hai:x:12312312:1::/home/hai:/bin/sh
#cat /etc/group
[root@sun5-/opt]# cat /etc/group
root::0:root,tomcat
other::1:bpeditor,lpg_admin,lpg_author,lpg_publisher
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,tty,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
nobody::60001:
noaccess::60002:
nogroup::65534:
iplanet::100:
dba::101:
sshd::2003:
apps::94356:
testa::12312323:
oat_users_test::12312325:
Thanks -
I am planning to intergrate LDAP netgroup to SSH in Solaris 10 (SUN native SSH SUNWsshxx) in order to restrict unauthorized users to ssh in. Any advice?
i've only done this with java directory server - dscc (or whatever it's called) and opends. only real troubles i've had are when i've done something wrong in pam.conf or the compat line in nsswitch.conf.
works pretty well here -
I setup iplanet directory server in the Solaris 9. Solaris 9 client can get user account, automount data from LDAP, but , Solaris 8 can't get automount data,
If cd /test4 , error message : permittion denied.
How to fix it , or to get more information about it.
as following is solaris 8 setting :
Solaris 8 profile:
dn: cn=sun8,ou=profile,dc=test,dc=com,dc=tw
cn: sun8
ObjectClass: top
ObjectClass: SolarisNamingProfile
SolarisBindDN: cn=proxyagent,ou=profile,dc=test,dc=com,dc=tw
SolarisBindPassword: {NS1}c58916dc7d61179f7f
SolarisLDAPServers: 172.20.100.103
SolarisSearchBaseDN: dc=test,dc=com,dc=tw
SolarisAuthMethod: NS_LDAP_AUTH_SIMPLE
SolarisTransportSecurity: NS_LDAP_SEC_NONE
SolarisSearchReferral: NS_LDAP_FOLLOWREF
SolarisSearchScope: NS_LDAP_SCOPE_ONELEVEL
SolarisSearchTimeLimit: 30
SolarisCacheTTL: 43200
Solaris 9 profile :
dn: cn=sun9v1,ou=profile,dc=test,dc=com,dc=tw
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: 172.20.100.103
defaultSearchBase: dc=test,dc=com,dc=tw
authenticationMethod: simple
defaultSearchScope: one
searchTimeLimit: 30
cn: sun9v1
credentialLevel: proxy
attributeMap: automount:automountInformation=nisMapEntry
attributeMap: automount:automountKey=cn
attributeMap: automount:automountMapName=nisMapName
objectClassMap: automount:automount=nisObject
objectClassMap: automount:automountMap=nisMap
AutoMount Entry:
cn=/net,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/net
nisMapEntry=-hosts -nosuid,nobrowse
nisMapName=auto_master
cn=/home,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/home
nisMapEntry=auto_home -nobrowse
nisMapName=auto_master
cn=/xfn,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/xfn
nisMapEntry=-xfn
nisMapName=auto_master
cn=/-,nisMapName=auto_master,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/-
nisMapEntry=auto_direct
nisMapName=auto_master
cn=/test4,nismapname=auto_direct,dc=test,dc=com,dc=tw
objectClass=nisObject
objectClass=top
cn=/test4
nismapentry=sun1:/export/test
nismapname=auto_directI just checked my schema and I've also converted 'NisMapEntry' to lower case.
So when you do an 'ldaplist -l auto_home name' you get:
dn: cn=name,nismapname=auto_home,o=org
objectClass: top
objectClass: nisobject
nismapname: auto_home
nismapentry: server:/export/home/&
cn: name
You can see where it's failing by running automountd in debug mode:
/usr/lib/autofs/automountd -v -TT &
# cd /home/name
t1 LOOKUP REQUEST: Wed Sep 4 14:37:53 2002
t1 name=name[] map=auto_home opts= path=/home direct=0
t1 PUSH /etc/auto_home
t1 getmapent_ldap called
t1 getmapent_ldap: key=[ name ]
t1 ldap_match called
t1 ldap_match: key =[ name ]
t1 ldap_match: ldapkey =[ name ]
t1 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
t1 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
t1 ldap_match: __ns_ldap_list OK
t1 getmapent_ldap: exiting ...
t1 POP /etc/auto_home
t1 mapline: server:/export/home/&
t1 do_lookup1: action=2 wildcard=FALSE error=0
t1 LOOKUP REPLY : status=0
t6 MOUNT REQUEST: Wed Sep 4 14:37:53 2002
t6 name=name[] map=auto_home opts= path=/home direct=0
t6 PUSH /etc/auto_home
t6 getmapent_ldap called
t6 getmapent_ldap: key=[ name ]
t6 ldap_match called
t6 ldap_match: key =[ name ]
t6 ldap_match: ldapkey =[ name ]
t6 ldap_match: searchfilter =[ (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name)) ]
t6 ldap_match: Requesting list for (&(objectClass=nisObject)(nisMapName=auto_home)(cn=name))
t6 ldap_match: __ns_ldap_list OK
t6 getmapent_ldap: exiting ...
t6 POP /etc/auto_home
t6 mapline: server:/export/home/&
t6 do_mount1:
t6 (nfs,nfs) /home/name
server:/export/home/name penalty=0
t6 nfsmount: standard mount on /home/name :
t6 server:/export/home/name
t6 ping: server timeout=15 request vers=3 min=2
t6 pingnfs OK: nfs version=3
t6 nfsmount: Get mount version: request vers=3 min=3
t6 nfsmount: mount version=3
t6 mount server:/export/home/name /home/name ()
t6 mount server:/export/home/name dev=44c0006 rdev=0 OK
t6 MOUNT REPLY : status=0, AUTOFS_DONE -
LDAP and Solaris Authorization.
Hi,
Need some help. Can we do authorization of users with LDAP using PAM on Solaris. I am aware that we can use netgroups with LDAP for restricting access but is there any generic facility that can be used directly with PAM itself to restrict the users?
All ideas are appreciated.
Regards,
AbrarI wonder anyone had successfully compiled pam_listfile.so (part of LinuxPAM) on Solaris8/9 and use it successfully in /etc/pam.conf as a mean of Authorization Control?
===
# cat /usr/share/doc/pam-0.77/txts/README.pam_listfile
SUMMARY:
pam_listfile:
Checks a specified item against a list in a file.
Options:
* item=tty
* sense=allow (action to take if found in file,
if the item is NOT found in the file, then
the opposite action is requested)
* file=/the/file/to/get/the/list/from
* onerr=succeed (if something weird happens
such as unable to open the file, what to do?)
* apply=user
restrict the user class for which the restriction
apply. Note that with item=user this
does not make sense, but for item=tty
it have a meaning. (Cristian Gafton)
Also checks to make sure that the list file is a plain
file and not world writable.
- Elliot Lee <[email protected]>, Red Hat Software.
v0.9 August 16, 1996.
===
Gary -
I've nearly got my LDAP deployment complete, but one thing I'm missing right now is netgroup-like restrictions for logins. I spoke with a Sun PS guy recently and he recommended this as the preferred method of restricting access to hosts, so I'm game.
The problem I have right now is that I can't seem to find any documentation on how to set this up. Most references using the word "netgroup" are for NIS, naturally. If anyone has solid docs on how to set this up for LDAP I'd appreciate it.
One thing to note is that I'm not transitioning from NIS. I have only DNS in my environment as a naming service, and so I couldn't just run the PADL tools to migrate.
My setup thus far is a 3 master configuration, with 3 hubs, and approximately 100 users, total. Please ask if my setup requires any clarification.
Thanks!
PatrickJust want to add more information:
1) The sample Solaris10 /etc/pam.conf could be found
at
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=
view
(For this sample to work on Solaris8/9, commented out
all the pam_unix_cred.so.1 lines)
2) Making sure "getent passwd userid" shows something
is NOT enough to make it worked, objectClass
"shadowAccount" must be defined in the People entry,
below is an example:
bash-2.05# ldaplist -l passwd tuser2
dn: uid=tuser2, ou=People, dc=example,dc=com
givenName: Test
sn: User2
loginShell: /bin/sh
uidNumber: 9998
gidNumber: 102
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tuser2
cn: Test User2
homeDirectory: /var/tmp
userPassword:
assword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
3) Edit /etc/nsswitch.conf and restart nscd.
Change this:
passwd: files ldap
netgroup: files
To that:
passwd: compat
passwd_compat: ldap
netgroup: ldap
Note that there is no need to change "shadow:" and
"group:", anyone pls correct me if I am wrong.
I have these two lines for both Solaris and Linux
clients:
shadow: files ldap
group: files ldap
4) Add these lines to the end of /etc/passwd and run
"pwconv".
+@netgroup1:x:::::
+@netgroup2:x:::::
-:x:::::
The corresponding DIT:
# ldaplist -l netgroup
dn: cn=netgroup1,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup1
nisNetgroupTriple: (,gtay,)
nisNetgroupTriple: (,tuser,)
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,test,)
nisNetgroupTriple: (,tuser2)
I noticed that Solaris will add corresponding lines
to /etc/shadow after "pwconv" is run, whereas RHEL
will not.
5) The same works for BOTH SUN ONE DS5.2 and
OpenLDAP server netgroup LDAP maps, as well as BOTH
H SUN Solaris Native LDAP Clients and RHEL
OpenLDAP+PADL Linux LDAP Clients.
6) For Non-Netgroup accounts, "id userid" and "su -
userid" will show these error messages:
Solaris:
id: invalid user name: "userid"
su: unknown id: userid
Linux:
id: userid: No such user
su: user userid does not exist
7) Some examples of netGroupTriple:
# nisNetgroupTriple Examples: (host,user,domain)
# jdoe is in the appuser netgroup for all servers,
all domains.
# scarter is in the appuser netgroup only on the
server mars.
# all users are in the appuser netgroup on the server
pluto.
dn: cn=appuser,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
nisNetgroupTriple: (,jdoe,)
nisNetgroupTriple: (mars,scarter,)
nisNetgroupTriple: (pluto,,)
cn: appuser
HTH.
GaryGary,
Excellent summary...just what I would have looked for about 2 months ago :)
I would like to add that you can indeed nest netgroups. The following is how you would nest Gary's "appuser" netgroup into another, named prod_appservers (theoretically a superset which would be comprised of several netgroups):
dn: cn=prod_appservers,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: dev_svr
memberNisNetgroup: appusers
memberNisNetgroup: unixadmin
memberNisNetgroup: security
memberNisNetgroup: architecture
Patrick -
Issue with LDAP login authentication in CMC console
We have a existing issues with Business Objects BOE XIR2 SP2 and LDAP authentication with the BOE CMC Console.
We use websphere as the application server and it is installed on the same machine (Solaris) as BOE.
We have this issue on both our production and our recently rebuilt development environment to duplicate the issue.
Both environment have configured LDAP over SSL and we can login to BOE Infoview Reports with LDAP and we can map groups and users if we login to CMC but we can not login to CMC with secLDAP.
The specific error still being shown is "Security plugin error: Failed to set parameters on plugin".
Both environments (DEV and PROD) are fresh installs of BOE XIR2 SP2.
Any ideas are much appreciated
ThankyouThe CMC in XIR2 used com components for the SSL (rather than java like infoview) and I'm betting the WAS deployment is not finding them. Is WAS on a seperate server or is BOE installed there as well?
I'm not familiar with any regular fixes for an issue like this. If no other replies I'd recommend opening a case with either deployment(WAS on "nix") or authentication(WAS on windows) to see if they can trace down the problem.
Regards,
Tim -
Does ldap works in solaris 11 ?
I am configuring a solaris 11 system to connect with ldap. But i am finding out that the configuration files "nsswitch.conf" cant be edit. edits will be lost.
Can you help me seting up the ldap client on this system "solaris11 x86 11-11-11"
Our ldap server is a solaris 10 sparc.
Thank-youI didn't have the problem in solaris 11.11.11
However i have this problem is solaris 11.11.11.1
In solaris 5.11 11.1
the ldap client is in maintanance mode
i disable the ldap client,
enable it..
still goes in maintenance mode
I dont understand what is going on.
# svcs
STATE STIME FMRI
legacy_run 13:29:11 lrc:/etc/rc2_d/S40llc2
legacy_run 13:29:11 lrc:/etc/rc2_d/S47pppd
legacy_run 13:29:11 lrc:/etc/rc2_d/S81dodatadm_udaplt
legacy_run 13:29:11 lrc:/etc/rc2_d/S89PRESERVE
disabled 13:29:00 svc:/system/tsol-zones:default
online 13:28:51 svc:/system/early-manifest-import:default
online 13:28:51 svc:/system/svc/restarter:default
online 13:28:53 svc:/network/sctp/congestion-control:cubic
online 13:28:53 svc:/network/sctp/congestion-control:vegas
online 13:28:53 svc:/network/tcp/congestion-control:newreno
online 13:28:53 svc:/network/tcp/congestion-control:vegas
online 13:28:53 svc:/network/tcp/congestion-control:highspeed
online 13:28:53 svc:/network/tcp/congestion-control:cubic
online 13:28:53 svc:/network/sctp/congestion-control:newreno
online 13:28:53 svc:/network/sctp/congestion-control:highspeed
online 13:28:54 svc:/network/netcfg:default
online 13:28:54 svc:/network/tnctl:default
online 13:28:54 svc:/network/socket-config:default
online 13:28:54 svc:/network/smb:default
online 13:28:54 svc:/system/metainit:default
online 13:28:55 svc:/network/datalink-management:default
online 13:28:55 svc:/system/filesystem/root:default
online 13:28:55 svc:/system/resource-controls:default
online 13:28:55 svc:/system/scheduler:default
online 13:28:56 svc:/system/cryptosvc:default
online 13:28:56 svc:/network/ipsec/ipsecalgs:default
online 13:28:56 svc:/system/boot-archive:default
online 13:28:56 svc:/system/name-service/upgrade:default
online 13:28:58 svc:/network/ip-interface-management:default
online 13:28:58 svc:/network/loopback:default
online 13:28:58 svc:/network/ipmp:default
online 13:28:59 svc:/system/filesystem/usr:default
online 13:28:59 svc:/system/pfexec:default
online 13:28:59 svc:/system/device/local:default
online 13:28:59 svc:/system/devchassis:cleanstart
online 13:29:00 svc:/system/filesystem/minimal:default
online 13:29:00 svc:/system/vbiosd:default
online 13:29:00 svc:/system/metasync:default
online 13:29:00 svc:/system/logadm-upgrade:default
online 13:29:00 svc:/system/rmtmpfiles:default
online 13:29:00 svc:/system/pkgserv:default
online 13:29:00 svc:/network/uucp-lock-cleanup:default
online 13:29:00 svc:/system/security/security-extensions:default
online 13:29:00 svc:/system/rbac:default
online 13:29:00 svc:/system/hostid:default
online 13:29:00 svc:/system/environment:init
online 13:29:00 svc:/system/ca-certificates:default
online 13:29:00 svc:/system/utmp:default
online 13:29:00 svc:/system/resource-mgmt:default
online 13:29:00 svc:/system/filesystem/uvfs-instclean:default
online 13:29:00 svc:/system/zones-monitoring:default
online 13:29:00 svc:/application/opengl/ogl-select:default
online 13:29:00 svc:/application/desktop-cache/docbook-style-xsl-update:default
online 13:29:00 svc:/system/postrun:default
online 13:29:00 svc:/milestone/unconfig:default
online 13:29:00 svc:/milestone/config:default
online 13:29:00 svc:/application/desktop-cache/mime-types-cache:default
online 13:29:01 svc:/application/desktop-cache/pixbuf-loaders-installer:default
online 13:29:01 svc:/application/desktop-cache/input-method-cache:default
online 13:29:01 svc:/system/dbus:default
online 13:29:01 svc:/system/sysevent:default
online 13:29:01 svc:/application/desktop-cache/desktop-mime-cache:default
online 13:29:01 svc:/system/devfsadm:default
online 13:29:01 svc:/application/desktop-cache/gconf-cache:default
online 13:29:01 svc:/network/npiv_config:default
online 13:29:01 svc:/system/manifest-import:default
online 13:29:01 svc:/system/device/fc-fabric:default
online 13:29:01 svc:/system/rad:local
online 13:29:01 svc:/milestone/devices:default
online 13:29:01 svc:/system/coreadm:default
online 13:29:01 svc:/system/config-user:default
online 13:29:01 svc:/system/timezone:default
online 13:29:01 svc:/network/physical:upgrade
online 13:29:01 svc:/system/device/audio:default
online 13:29:01 svc:/network/location:upgrade
online 13:29:02 svc:/application/desktop-cache/docbook-dtds-update:default
online 13:29:03 svc:/application/desktop-cache/docbook-style-dsssl-update:default
online 13:29:03 svc:/system/keymap:default
online 13:29:04 svc:/network/physical:default
online 13:29:04 svc:/system/identity:node
online 13:29:05 svc:/system/picl:default
online 13:29:05 svc:/network/ipsec/policy:default
online 13:29:05 svc:/network/location:default
online 13:29:05 svc:/milestone/network:default
online 13:29:05 svc:/network/iptun:default
online 13:29:05 svc:/network/nis/domain:default
online 13:29:05 svc:/system/fcoe_initiator:default
online 13:29:05 svc:/network/dns/client:default
online 13:29:05 svc:/system/identity:domain
online 13:29:05 svc:/milestone/single-user:default
online 13:29:05 svc:/network/initial:default
online 13:29:05 svc:/network/nfs/fedfs-client:default
online 13:29:05 svc:/network/service:default
online 13:29:05 svc:/network/netmask:default
online 13:29:05 svc:/network/iscsi/initiator:default
online 13:29:06 svc:/system/auditset:default
online 13:29:06 svc:/system/filesystem/local:default
online 13:29:06 svc:/system/cron:default
online 13:29:06 svc:/system/boot-loader-update:default
online 13:29:06 svc:/system/filesystem/ufs/quota:default
online 13:29:07 svc:/network/shares:default
online 13:29:07 svc:/system/power:default
online 13:29:07 svc:/system/consolekit:default
online 13:29:08 svc:/system/boot-archive-update:default
online 13:29:09 svc:/application/desktop-cache/icon-cache:default
online 13:29:09 svc:/system/hal:default
online 13:29:09 svc:/network/rpc/bind:default
online 13:29:09 svc:/network/routing/ndp:default
online 13:29:09 svc:/system/filesystem/rmvolmgr:default
online 13:29:09 svc:/network/nfs/status:default
online 13:29:09 svc:/network/routing-setup:default
online 13:29:09 svc:/network/inetd:default
online 13:29:09 svc:/network/nfs/nlockmgr:default
online 13:29:10 svc:/application/font/fc-cache:default
online 13:29:10 svc:/network/rpc/gss:default
online 13:29:10 svc:/network/rpc/smserver:default
online 13:29:10 svc:/application/x11/xvnc-inetd:default
online 13:29:10 svc:/network/security/ktkt_warn:default
online 13:29:10 svc:/network/rpc/cde-ttdbserver:tcp
online 13:29:10 svc:/network/rpc/cde-calendar-manager:default
online 13:29:10 svc:/system/filesystem/autofs:default
online 13:29:10 svc:/application/cups/scheduler:default
online 13:29:10 svc:/system/dumpadm:default
online 13:29:10 svc:/network/ssh:default
online 13:29:10 svc:/milestone/self-assembly-complete:default
online 13:29:11 svc:/system/system-log:default
online 13:29:11 svc:/application/pkg/update:default
online 13:29:11 svc:/system/auditd:default
online 13:29:11 svc:/system/console-login:default
online 13:29:11 svc:/system/vtdaemon:default
online 13:29:11 svc:/system/console-login:vt4
online 13:29:11 svc:/system/console-login:vt3
online 13:29:11 svc:/system/console-login:vt2
online 13:29:11 svc:/system/console-login:vt6
online 13:29:11 svc:/system/console-login:vt5
online 13:29:11 svc:/milestone/multi-user:default
online 13:29:11 svc:/application/man-index:default
online 13:29:11 svc:/application/graphical-login/gdm:default
online 13:29:11 svc:/milestone/multi-user-server:default
online 13:29:11 svc:/system/intrd:default
online 13:29:11 svc:/system/zones:default
online 13:29:11 svc:/system/zones-install:default
online 13:29:12 svc:/application/stosreg:default
online 13:29:12 svc:/system/boot-config:default
online 13:29:15 svc:/system/fmd:default
online 13:29:15 svc:/system/fm/smtp-notify:default
online 13:29:16 svc:/system/fm/asr-notify:default
online 13:29:25 svc:/system/devchassis:daemon
online 13:29:32 svc:/network/ilomconfig-interconnect:default
online 13:29:32 svc:/system/ocm:default
online 13:29:41 svc:/system/console-reset:default
online 13:29:53 svc:/application/texinfo-update:default
online 13:58:19 svc:/system/name-service/switch:default
online 13:58:19 svc:/milestone/name-services:default
online 13:58:19 svc:/network/sendmail-client:default
online 13:58:19 svc:/network/smtp:sendmail
online 13:58:19 svc:/network/nfs/client:default
online 13:58:35 svc:/system/name-service/cache:default
maintenance 13:38:48 svc:/network/ldap/client:default
Edited by: 1502 on Dec 5, 2012 2:45 PM -
Heimdal with LDAP backend?
Has anyone gotten the LDAP backend for Heimdal to work? I've recompiled Heimdal with ldap backend support, and I have LDAP all set up, but no matter what I do, when I run kadmin to init the realm, I get this:
[arew264@Reno src]$ sudo kadmin -l
kadmin> init LINUXLAB.FHS
kadmin: hdb_open: ldap_sasl_bind_s: Can't contact LDAP server
From what I've read, Heimdal connects to LDAP through the unix socket that LDAP creates when you start it with the option "-h ldapi://", but if I start it with this option, it crashes with a file not found error. I think it's trying to create a socket in the directory where it was built because it outputs this:
[arew264@Reno slapd]$ sudo /usr/sbin/slapd -h ldapi:// -f /etc/openldap/slapd.conf -d 1023
@(#) $OpenLDAP: slapd 2.3.40 (Jan 17 2008 23:58:45) $
nobody@tygra:/build/src/openldap-2.3.40/servers/slapd
daemon_init: ldapi://
daemon_init: listen on ldapi://
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldapi://)
daemon: bind(7) failed errno=2 (No such file or directory)
slap_open_listener: failed on ldapi://
slapd stopped.
connections_destroy: nothing to destroy.
[arew264@Reno slapd]$
That nobody@tygra line... that must be from the package maintainer's computer because, as you can see, my box is named Reno.I answered my own question. Appending LDAPI:// to the server list tells OpenLDAP to create a unix socket at... /var/lib/openldap/run/ldapi. Apparantly it's a strange side effect of the configure options that TomK used.
-
Problems setting up ldap on solaris 10.
when trying to set up LDAP on Solaris 10 I am asked for an LDAP profile and the address of the ldap server. I know the address of the LDAP server but what is the profile, and how do I set it up with active directory?
Hi,
The profile defines how the client will interact with the server. On a Solaris server, you set this file up with the /usr/lib/ldap/idsconfig command. On the client, you use ldapclient init -a profileName=xyz -a domainName=your.domain <server.ip.adderss.here:portno> portno not necessary if you are using port 389 on server. I'm not sure how you duplicate the functionality of that file from a Windows server. Maybe if you look at man page on idsconfig, it may help identify what needs to be done on Windows server to create a profile the Solaris client can use. I went to MS TechNet and searched for "ldap server for solaris client" A lot of hits. Hope this helps.
John -
Untrusted server cert chain - while connecting with ldap
Hi All,
I am getting the following error while running a standalone java program in windows 2000+jdk1.3 environment to connect with LDAP.
javax.naming.CommunicationException: hostname:636 [Root exception is ja
vax.net.ssl.SSLException: untrusted server cert chain]
javax.naming.CommunicationException: hostname:636. Root exception is j
avax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA12
275)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at java.io.OutputStream.write(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at Test2.getProxyDirContext(Test2.java:66)
at Test2.main(Test2.java:40)
Any help would be appreciated
Thanks in Advance
SomuThis got resolved when in the code the following
System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
in X509 format -
Problem with LDAP in BEA Portal
Problem with LDAP in BEA Portal
I have a list of 50 user which should be cerated in portal staging(devlopment) machine and should be transfered to
production machine using LDAP
Steps which i followed to create Users
1.Create User Profile with 2 parameters branch and Role
2.I have list user in the Xls file with Username,password ,branch and Role
3.Write a java File which will read the Xls File
4.The users are created in the staging machine for the portal
Steps which i followed in LDAP to tranfer the created User form Devlopment to Production
1.Export the created user from Devlopment (which was moved as .DAT in my local directory)
2.import the user from local direcory to production machine
The Users are imported in the production machine with username and password but the role and branch values are empty
We need a solution for importing the user with role and branch corresponding to each user.
Thanks in Adv
SureshIn Portal 8.1, user name and password in stored in LDAP where as user profile values are stored in database. That is the reason you are not able to see the user profile values.
Check once again whether you can see these values through admin tool. In case,it is not(after confirmation again),you might have to use APIs to do this for you incase you dont want to manage through Admin Tool.
Thanks,
Prashanth Bhat. -
Problem with IPSec on solaris 9
Hi all
I'm facing a problem with IPSec on solaris 9 that I didn't have with Solaris 8 (With the Security package installed).
I've an application that creates SA's by using the pf-key interface.
What it does is first doing a GETSPI to a specific SPI and a specific Destination IP Address.
This will create an SA and put it in a LARVAL state. After about a minute my application will do an UPDATE to this SPI and that command should change the state of the SA from LARVAL to MATURE but instead I get an error saying that this SPI & IP address already exist (errno = 17).
Well of course it's already exist that's the all point it should just change the state of an existing SA.
This exact scenarion was is working fine on Solaris 8.
Am I doing somthing wrong (maybe there is a package on the solaris 9 that I need to install ?)
or is this a bug in solaris 9.
If anyone has any idea on how to do that (without using a one step ADD for a new SA) I will be very thankfull.Sorry for using reply for querying.
I got a problem in creating a Security Association using the PF_KEY Socket (first used SADB_GETSPI and got SPI,with SPI tried to update SADB_UPDATE).
Getting this problem on Sun Solaris 8.
It returns errno 122 . operation not supported.
Here is my mailId [email protected]
I got few more queries regarding PF_KEY socket.
Not much directions are available also for pf_key socket in internet.
Monitor produces the following error.
# ipseckey monitor
"Base message (version 2) type UPDATE, SA type AH.
Error Operation not supported on transport endpoint from PF_KEY.
Message length 16 bytes, seq=4294967294, pid=450."
Here is my mailId [email protected]
Thanks in Advance.
ssundar. -
Error in authentication with ldap server with certificate
Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Rangasorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance -
Problem with users in portal - login conflict with LDAP.
Hi.
Let me describe our problem:
We've a EP5 portal with LDAP conected to a central LDAP server, users access with the same user and password to all the different systems.
The problem happens to users who have theyr passwords expired. We already set to 0 the password expiration days to avoid future problems but that didn't applied to the already expired ones.
This affected users cannot change the password due to problems with the connection rights to LDAP server.
We're trying to find the place there it's set that the user is in some kind of "password expired" status, directly in a database table if neccesary, to change the status manually, as system does not allow os to set it by user administration in portal.
Any suggestions would be appreciated.Restoring expired Portal passwords
Solved
Maybe you are looking for
-
Class or function module to create a resubmission
Hallo, can anyone give me an example for generate a resubmission via ABAP-Code? I'll develop a WebDynpro application for contracting and when I save I'll generate automatical the resubmission. thank you! Greetings Martin
-
SOAP Receiver: Problem with SOAP Multipart Request (wsdl:part)
Dear PI experts, our partner provided a WSDL with the following definition (I modified it to keep it simple and showing the principles) <wsdl:message name="nameOfMessage"> <wsdl:part element="part1" name="header" /> <wsdl:part element=
-
Audigy Player: Strange problem w/ internal inp
Hello everybody! Since I'm running WinXP Pro I've encountered a really strange problem with my internal inputs. I have a DVB-s card connected and cannot hear any sound. Currently I have to use the external output of the DVB-card and the external Line
-
Report Issue: User History & Application Usage
Hello, I am trying to run reports on some machines in my office. In the past I was able to run them. Now when I try to run them it, it sits scanning and says Waiting for report data and it never retrieves the info. What is wrong?
-
Hi All, I use SAP 4.7 enterprise x200 i have configured the EWA reports through my solution manger (kernel 700) in the EWA report we encounter certain issues. in System Config -> S/W Config -> SAP Kernel release (3.2.2) i have kept all my systems in