Tls:simple

Hi,
I am setting up a solaris 9 system to do tls/ssl to an ldap server set up for ldaps:///. I can use the ldapsearch in /usr/iplanet/shared/bin and get a tls/ssl connect and results to work fine. But when I attempt to log in using the tls / ssl it still appears to only be using ldap not ldaps. I have configured with the authmethod and serviceauthmethod to only contain tls:simple. The cert7 and key3 files are in the proper place. ldapclient works fine.
Ideas or suggestions greatly appreciated.

Found fix: added LdapContext.reconnect( ) method. Although it works it would seem there is unnecessary overhead since it has to bind twice.
(StartTlsResponse) connection.extendedOperation(new StartTlsRequest());
tls.negotiate();
connection.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
connection.addToEnvironment(Context.SECURITY_PRINCIPAL, bindDn);
connection.addToEnvironment(Context.SECURITY_CREDENTIALS, bindPassword);
connection.reconnect(null); //new line

Similar Messages

Native Solaris 10 with DSEE 6.3.1 (or JSDS) with SSL (tls:simple)

Hello There,
I need some help from DSEE or LDAP experts.
I am trying to configure DSEE 6.3.1 to use SSL(tls:simple).
*{color:#0000ff}I have Simple(non-SSL) method working just fine and*
**Also ldapsearch command works fine with simple and SSL methods*{color}**. So I know my certs are good but I just can not make ldap clien to work*
*I followed this document [http://brandonhutchinson.com/wiki/Soup_To_Nuts_Sun_DSEE#Solaris_10_instructions]*
I am using
ldapclient -v init -a profileName=profile3 -a certificatePath=/var/ldap -a domainName=mydomain.com -a proxyDN="cn=proxyagent,ou=pro*file,dc=mydomain,dc=com" -a proxyPassword=XXXXX ldap200.mydomain.com*
Here is the output
+Parsing profileName=profile3+
+Parsing certificatePath=/var/ldap+
+Parsing domainName=mydomain.com+
+Parsing proxyDN=cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Parsing proxyPassword=xxxxx+
+Arguments parsed:+
+domainName: mydomain.com+
+proxyDN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+profileName: profile3+
+proxyPassword: xxxxx+
+defaultServerList: ldap200.mydomain.com+
+certificatePath: /var/ldap+
+Handling init option+
+About to configure machine by downloading a profile+
+findBaseDN: begins+
+findBaseDN: ldap not running+
+findBaseDN: calling __ns_ldap_default_config()+
+found 1 namingcontexts+
+findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=mydomain.com))"+
+rootDN[0] dc=mydomain,dc=com+
+found baseDN dc=mydomain,dc=com for domain mydomain.com+
+Proxy DN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Proxy password: {NS1}67eb0f447bc0f619+
+Credential level: 1+
+Authentication method: 3+
+About to modify this machines configuration by writing the files+
+Stopping network services+
+sendmail not running+
+nscd not running+
+autofs not running+
+ldap not running+
+nisd not running+
+nis(yp) not running+
+file_backup: stat(/etc/nsswitch.conf)=0+
+file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)+
+file_backup: stat(/etc/defaultdomain)=0+
+file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)+
+file_backup: stat(/var/nis/NIS_COLD_START)=-1+
+file_backup: No /var/nis/NIS_COLD_START file.+
+file_backup: nis domain is "mydomain.com"+
+file_backup: stat(/var/yp/binding/mydomain.com)=-1+
+file_backup: No /var/yp/binding/mydomain.com directory.+
+file_backup: stat(/var/ldap/ldap_client_file)=-1+
+file_backup: No /var/ldap/ldap_client_file file.+
+Starting network services+
+start: /usr/bin/domainname mydomain.com... success+
+start: sleep 100000 microseconds+
+start: sleep 200000 microseconds+
+start: network/ldap/client:default... success+
+restart: sleep 100000 microseconds+
+restart: sleep 200000 microseconds+
+restart: milestone/name-services:default... success+
+System successfully configured+
+When I run+
*It takes long time and then*
*+ldaplist: Object not found (Session error no available conn.+*
*+)+*
{color:#0000ff}The command logins also takes long time and does not show any LDAP users.{color}
*+{color:#ff6600}Here is the output from cachemgr.log on client*+*
*+{color}+*
+Tue Jul 14 12:16:07.8984 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log+
+Tue Jul 14 12:16:07.9391 sig_ok_to_exit(): parent exiting...+
+Tue Jul 14 12:16:17.9511 getldap_set_refresh_ttl:(6) refresh ttl is 300 seconds+
+Tue Jul 14 12:16:38.0741 getldap_set_refresh_ttl:(6) refresh ttl is 150 seconds+
+Tue Jul 14 12:16:38.0755 Error: Unable to refresh profile:profile3:Session error no available conn.+
+Tue Jul 14 12:16:38.0756 Error: Unable to update from profile+
+{color:#ff6600}Here is the out from /var/adm/messages.+
+{color:#000000}Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind fai{color}+{color:#000000}+led - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 186574 daemon.error] Error: Unable to refresh profile:profile3: Session error no available conn.+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple+ +bind failed - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no avaible conn.+
*ANY HELP IS GREATLY APPRECIATED*
*THANKS*
Edited by: PranavPatel on Jul 14, 2009 12:41 PM
Edited by: PranavPatel on Jul 14, 2009 12:46 PM

Here is the the profile from Server
Non-editable attributes
dn: cn=profile3,ou=profile,dc=mydomain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: profile3
credentiallevel: proxy
defaultsearchbase: dc=mydomain,dc=com
defaultsearchscope: one
defaultserverlist: 192.168.190.146 192.168.11.221
followreferrals: FALSE
objectclass: top
objectclass: DUAConfigProfile
profilettl: 43200
searchtimelimit: 30
serviceauthenticationmethod: passwd-cmd:tls:simple
serviceauthenticationmethod: keyserv:tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
Editable attributes:
createtimestamp: 20090714180638Z
creatorsname: cn=directory manager
entrydn: cn=profile3,ou=profile,dc=mydomain,dc=com
entryid: 26
hassubordinates: FALSE
modifiersname: cn=directory manager
modifytimestamp: 20090714180638Z
nsuniqueid: f37fa281-70a011de-80b5f403-069e0ba9
numsubordinates: 0
parentid: 13
subschemasubentry: cn=schema
And here is the output of
*# ldapclient list*
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=mydomain,dc=com
+NS_LDAP_BINDPASSWD= {NS1}67eb0f447bc0f619+
NS_LDAP_SERVERS= 192.168.190.146, 192.168.11.221
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= profile3
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
NS_LDAP_HOST_CERTPATH= /var/ldap
Edited by: PranavPatel on Jul 14, 2009 1:08 PM

Solaris ldap client problem (tls:simple + anonymous)

Hi All,
I've installed Directory Server 6.3.1 and it works just fine,
but I have a problem regarding connecting Solaris 10 ldap client to it through SSL using anonymous credential level.
Both SSL with proxy credential level or anonymous without SSL work fine but as you know these configurations are not pretty secure.
More detail.
Profile:
dn: cn=sslnoproxyuser,ou=profile,dc=domain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: sslnoproxyuser
credentiallevel: anonymous
defaultsearchbase: dc=domain,dc=com
defaultsearchscope: one
defaultserverlist: servername.domain.com
followreferrals: TRUE
objectclass: top
objectclass: DUAConfigProfile
preferredserverlist: servername.domain.com
profilettl: 43200
searchtimelimit: 30
Ldapclient output:
bash-3.00# ldapclient init -v -a profileName=sslnoproxyuser servername.domain.com
Parsing profileName=sslnoproxyuser
Arguments parsed:
profileName: sslnoproxyuser
defaultServerList: servername.domain.com
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=domain.com))"
rootDN[0] dc=domain,dc=com
found baseDN dc=domain,dc=com for domain domain.com
Proxy DN: NULL
Proxy password: NULL
Credential level: 0
Authentication method: 3
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "domain.com"
file_backup: stat(/var/yp/binding/domain.com)=-1
file_backup: No /var/yp/binding/domain.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: network/ldap/client:default... maintenance
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
Stopping sendmail
stop: sleep 100000 microseconds
stop: network/smtp:sendmail... success
Stopping nscd
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/name-service-cache:default... success
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: sleep 800000 microseconds
stop: sleep 1600000 microseconds
stop: sleep 3200000 microseconds
stop: system/filesystem/autofs:default... success
Stopping ldap
stop: network/ldap/client:default... restoring from maintenance state
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "domain.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/domain.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname domain.com... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
start: sleep 100000 microseconds
start: system/name-service-cache:default... success
start: sleep 100000 microseconds
start: network/smtp:sendmail... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
*/var/ldap/cachemgr.log*
Tue Jun 30 10:50:51.4330 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Tue Jun 30 10:50:51.4355 Error: Unable to read '/var/ldap/ldap_client_file': Configuration Error: No entry for 'NS_LDAP_BINDDN' found
Tue Jun 30 10:50:51.4368 detachfromtty(): child failed (rc = 255).
Any ideas?
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07
Edited by: ffffffffff356dfd on 30 ???? 2009 12:07

Hi ,
yes I use it.
Here is my pam.conf:
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
# rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
# rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Switching from tls:simple to tls:sasl/DIGEST-MD5

How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
TIA,
Chris

I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
idsconfig is which "Authentication Methods" the DS will support. The choices being:
* none
* simple
* sasl/DIGEST-MD5
* tls:simple
* tls:sasl/DIGEST-MD5
When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
could have chosen more than one at that time, but I didn't. What I need to know is how to add support
for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
or caveats I should be aware of beforehand.

Restricting 389 to TLS (simple or cert) from specific userDNs

i am configuring an LDAP server to listen on 389 (TLS) and 636 SSL
I have applications that need to use "simple" authenticaiton on 389 and have ldap clients that are configured to use TLS:simple
question i have is
i want to enforce the use of tls if bind is being done by specific userDNs and IP / DNS addresses. I have read documentation and know I can setup ACI to restrict by DNS/IP but not by bind method (none of the bind methods fulfil the transport requirement)
authmethod = ssl requires cert authentication and i dont believe Solaris ldap clients cannot support cert authentication.
what is the best practice in this respect ?

Hi
sounds logical. However, I've seen that the user sl-abde has written a plugin with the needed functionality (http://forum.java.sun.com/thread.jspa?threadID=5062375). Unfortunately the Sun forums do not offer the possibility to contact a user directly, so I cannot ask for the code (can anyone help me?). I possible could be able to write the plugin by myself, but if someone did it already... Is there a community code repository?
Any ideas / suggestions would be highly appreciated.
harry

Proxyagent using proxy tls:simple fails to bind to DS 6.3

If I configure the profile to use proxy simple, it works fine everything works including authentication (/etc/pam.conf and the server are using pam_ldap:tls:simple). If I try proxy tls:simple, it fails to bind to the server. Both the server and client are Solaris 10. I generated and deployed the certificates on both sides. I searched Sunsolve and the forums. Is proxy tls:simple an unworkable combination? Proxy anonymous does not seem to work either.
Any ideas?

This is for my internal lab network. You will have to use ldapadd to add it to the DS configuration:
ldapclient genprofile -a profileName=tls-profile -a defaultSearchBase=dc=gallifrey,dc=net -a credentialLevel=proxy \
-a authenticationmethod=tls:simple -a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a serviceAuthenticationMethod=passwd-cmd:tls:simple -a defaultSearchScope=one \
-a followReferrals=FALSE -a defaultServerlist=192.168.1.6 > tls-profile.ldif
bash-3.00# cat tls-profile.ldif
dn: cn=tls-profile,ou=profile,dc=gallifrey,dc=net
ObjectClass: top
ObjectClass: DUAConfigProfile
defaultServerList: 192.168.1.6
defaultSearchBase: dc=gallifrey,dc=net
authenticationMethod: tls:simple
followReferrals: FALSE
defaultSearchScope: one
cn: tls-profile
credentialLevel: proxy
serviceAuthenticationMethod: pam_ldap:tls:simple
serviceAuthenticationMethod: passwd-cmd:tls:simple

LDAP client with TLS

LDAP gurus
I'm having problems to setup LDAP client to use TLS:SIMPLE. SIMPLE and SASL/DIGEST-MD5 are working fine (with or without Proxy).
For some reason, a self-certified certification is not acceptable by the client (TLS certificate verification: Error, self signed certificate).
Certificate is located at /var/ldap/cert8.db
Client is Sun LDAP Native.
[SunOS 5.10/bash] root@wgls01:/root
# /usr/local/bin/ldapsearch -Z -H ldaps://wgtsinf01:1636 -v -d 65535
ldap_initialize( ldaps://wgtsinf01:1636 )
ldap_create
ldap_url_parse_ext(ldaps://wgtsinf01:1636)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP wgtsinf01:1636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.64.47.50:1636
ldap_connect_timeout: fd: 4 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=124, written=124
0000: 80 7a 01 03 01 00 51 00 00 00 20 00 00 39 00 00   .z....Q... ..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0   8..5............
0020: 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03   ..3..2../.......
0030: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00   ................
0040: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08   ......@.........
0050: 00 00 06 04 00 80 00 00 03 02 00 80 5b ca 46 06   ............[.F.
0060: 60 e0 bc 9e a2 af 25 a2 55 0a 53 e7 f0 1a fc 6e   `.....%.U.S....n
0070: c6 7b de f1 79 7e b1 ce 15 14 1a 8e               .{..y~......
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 16 03 01 03 b3 02 00                               .......
tls_read: want=945, got=945
0000: 00 46 03 01 46 b2 73 ba 42 d1 b3 35 54 a1 26 f8   .F..F.s.B..5T.&.
0010: 76 87 77 90 c1 92 c3 e4 88 a0 47 bc cc 52 01 bb   v.w.......G..R..
0020: 34 85 b1 2d 20 46 b2 73 ba cd 16 16 a6 e6 9a a3   4..- F.s........
0030: c2 af 1b 60 ed e7 0d ad 32 69 0d c3 41 64 31 4e   ...`....2i..Ad1N
0040: 3e ff bd c4 0a 00 16 00 0b 00 01 ae 00 01 ab 00   >...............
0050: 01 a8 30 82 01 a4 30 82 01 0d 02 04 46 ad 48 df   ..0...0.....F.H.
0060: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30   0...*.H........0
0070: 19 31 17 30 15 06 03 55 04 03 13 0e 77 67 74 73   .1.0...U....wgts
0080: 69 6e 66 30 31 3a 31 33 38 39 30 1e 17 0d 30 37   inf01:13890...07
0090: 30 37 33 30 30 32 31 31 34 33 5a 17 0d 30 39 30   0730021143Z..090
00a0: 37 32 39 30 32 31 31 34 33 5a 30 19 31 17 30 15   729021143Z0.1.0.
00b0: 06 03 55 04 03 13 0e 77 67 74 73 69 6e 66 30 31   ..U....wgtsinf01
00c0: 3a 31 33 38 39 30 81 9f 30 0d 06 09 2a 86 48 86   :13890..0...*.H.
00d0: f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81   ...........0....
00e0: 81 00 a9 f7 de 93 85 50 13 6b a1 18 96 3d 00 2d   .......P.k...=.-
00f0: 64 5d a9 65 72 33 c3 44 b6 1e 0e 6b b8 4b e0 a4   d].er3.D...k.K..
0100: 0a 6b 7f 4f 1a ae f3 d7 8e ed 8e fd c7 d0 48 b1   .k.O..........H.
0110: f0 45 2d 74 52 a9 d1 fd d4 89 ad 64 d9 82 6b e9   .E-tR......d..k.
0120: 73 b1 55 cb 38 20 06 e6 4f a3 d3 f2 0b a1 5b 2e   s.U.8 ..O.....[.
0130: b4 43 bc 9a 93 e6 b7 47 dd 58 f2 cb 59 17 8a c0   .C.....G.X..Y...
0140: 13 aa 8a 5f ef 11 33 c7 02 53 d8 b1 20 e3 5b 6d   ..._..3..S.. .[m
0150: 4f ea 4f a6 9d 02 d2 39 69 ed e0 b9 70 d9 51 50   O.O....9i...p.QP
0160: 4e 2b 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7   N+.....0...*.H..
0170: 0d 01 01 04 05 00 03 81 81 00 02 d6 e1 3d f7 41   .............=.A
0180: 64 69 c5 f3 b7 77 93 99 10 80 4d aa b9 1f 7a 28   di...w....M...z(
0190: c2 33 4e 42 d2 47 7c 53 00 6e 7d 13 3b e3 56 19   .3NB.G|S.n}.;.V.
01a0: 35 93 4b 6d cd 4c 52 57 aa ba e2 f6 e0 46 a4 f2   5.Km.LRW.....F..
01b0: 5c a7 be be b2 40 6f 9a 33 f0 dc b5 de 55 3c 8e   \[email protected]<.
01c0: 2a 19 15 eb 6c 6f 03 ef a5 c1 01 e3 d6 10 b7 64   *...lo.........d
01d0: 7d dd 24 87 60 a7 e3 5f 24 a1 ea 0a 66 fa d4 49   }.$.`.._$...f..I
01e0: 71 65 21 53 94 ad be 0c b9 52 b6 78 67 87 b8 38   qe!S.....R.xg..8
01f0: 11 59 b2 47 b6 c9 23 f8 d8 cc 0c 00 01 89 00 80   .Y.G..#.........
0200: f4 88 fd 58 4e 49 db cd 20 b4 9d e4 91 07 36 6b   ...XNI.. .....6k
0210: 33 6c 38 0d 45 1d 0f 7c 88 b3 1c 7c 5b 2d 8e f6   3l8.E..|...|[-..
0220: f3 c9 23 c0 43 f0 a5 5b 18 8d 8e bb 55 8c b8 5d   ..#.C..[....U..]
0230: 38 d3 34 fd 7c 17 57 43 a3 1d 18 6c de 33 21 2c   8.4.|.WC...l.3!,
0240: b5 2a ff 3c e1 b1 29 40 18 11 8d 7c 84 a7 0a 72   .*.<..)@...|...r
0250: d6 86 c4 03 19 c8 07 29 7a ca 95 0c d9 96 9f ab   .......)z.......
0260: d0 0a 50 9b 02 46 d3 08 3d 66 a4 5d 41 9f 9c 7c   ..P..F..=f.]A..|
0270: bd 89 4b 22 19 26 ba ab a2 5e c3 55 e9 2f 78 c7   ..K".&...^.U./x.
0280: 00 01 02 00 80 7c 11 c6 db 8a 23 1b 2d a3 e3 5d   .....|....#.-..]
0290: f0 30 4c 20 35 c1 95 fc 71 eb c2 92 00 02 a9 05   .0L 5...q.......
02a0: c5 10 4e 75 ef ca 35 aa bb 38 14 fa 38 c3 71 e4   ..Nu..5..8..8.q.
02b0: 16 a4 87 d5 2f e7 a5 7c b4 b8 a0 ee cf 53 ab c2   ..../..|.....S..
02c0: 6b f4 79 59 d5 f9 07 70 77 97 89 eb b6 c6 74 df   k.yY...pw.....t.
02d0: 26 57 5c 42 1a 95 13 e3 c5 28 b7 6c c2 6f 2e 65   &W\B.....(.l.o.e
02e0: 5d c3 c8 a9 cf 8e 09 cc aa 42 eb f7 a7 3b c3 5d   ]........B...;.]
02f0: be cd e3 71 2b 46 a2 80 72 a3 48 ae 52 b4 ce c2   ...q+F..r.H.R...
0300: 69 1f 40 e7 94 00 80 03 b2 a4 66 2f 34 c1 60 46   [email protected]/4.`F
0310: 05 9d 83 7f f9 75 29 07 36 60 8b b0 ae 1c ce e8   .....u).6`......
0320: 5f b4 0e 26 54 1c 31 b7 94 e2 58 6e 33 76 ce 19   _..&T.1...Xn3v..
0330: e0 07 f5 ca cc a9 d3 53 d5 22 4a 3a 31 15 f4 7e   .......S."J:1..~
0340: 34 ba 3b 92 c0 ec 75 8e 0f d8 e4 44 23 91 70 cb   4.;...u....D#.p.
0350: d9 f9 40 ac 7c 0e 97 27 1d 24 b5 ff f2 13 bd 64   ..@.|..'.$.....d
0360: aa 10 40 1c 68 6f b2 87 14 c2 ef 88 bb 9c 88 24   [email protected].........$
0370: 5f 6b 9e c5 2b fb c2 d1 b3 ce 6e 8d b7 57 bf 88   _k..+.....n..W..
0380: ee b9 fd d6 f3 a0 f3 0d 00 00 22 02 01 02 00 1d   ..........".....
0390: 00 1b 30 19 31 17 30 15 06 03 55 04 03 13 0e 77   ..0.1.0...U....w
03a0: 67 74 73 69 6e 66 30 31 3a 31 33 38 39 0e 00 00   gtsinf01:1389...
03b0: 00                                                 .
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /CN=wgtsinf01:1389, issuer: /CN=wgtsinf01:1389
TLS certificate verification: Error, self signed certificate
tls_write: want=7, written=7
0000: 15 03 01 00 02 02 30                               ......0
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
    supportedSASLMechanisms
ldap_send_initial_request
ldap_send_server_request
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedAny ideas?
Andreas

Hello David,
Let's follow your suggestion and try to put Solaris 10 use TLS:SIMPLE now. Sorry for the extreme long log entries but I tried to capture everything during the authentication process.
My client has an IP address of 10.64.47.11 and the DS server is using the IP address of 10.64.47.50.
a) Sun native LDAP configurations:
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ls -la *db
-rw-r--r--   1 root     root       65536 Aug 8 14:46 cert8.db
-rw-r--r--   1 root     root       32768 Aug 8 14:46 key3.db
-rw-------   1 root     root       32768 Aug 2 16:56 secmod.db
[SunOS 5.10/bash] root@wgls01:/var/ldap
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=nz,dc=thenational,dc=com
NS_LDAP_BINDPASSWD= {NS1}41fa88f3a945c411
NS_LDAP_SERVERS= wgtsinf01.nz.thenational.com
NS_LDAP_SEARCH_BASEDN= dc=nz,dc=thenational,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SERVER_PREF= wgtsinf01.nz.thenational.com
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=nz,dc=thenational,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=group,dc=nz,dc=thenational,dc=com?one
NS_LDAP_BIND_TIME= 30
b) Output from DSEE6.1 error log file:
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=Hosts,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=ipHost)(ipHostNumber=10.64.47.58))" attrs="cn ipHostNumber"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0xb
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=group,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixGroup)(memberUid=p642929))" attrs="cn gidNumber userPassword memberUid"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x1000
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2002
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=5 attrsonly=0 filter="(|(objectClass=*)(objectClass=ldapSubEntry))" attrs="1.1"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:52 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:52 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:54 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:54 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:54 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=shadowAccount)(uid=p642929))" attrs="uid userPassword shadowFlag"
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="ou=People,dc=nz,dc=thenational,dc=com" scope=1 deref=3 sizelimit=0 timelimit=30 attrsonly=0 filter="(&(objectClass=posixAccount)(uid=p642929))" attrs=ALL
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 -     be: 'dc=nz,dc=thenational,dc=com' indextype: "eq" indexmask: 0x2042
[13/Aug/2007:12:00:55 +1200] - DEBUG - conn=-1 op=-1 msgId=-1 - cos_cache_vattr_types: failed to get class of service reference
[13/Aug/2007:12:00:55 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : nz
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:55 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=30 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree selected backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter(-1)
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - <= roles_filter_rewriter_cleanup
[13/Aug/2007:12:00:56 +1200] - INFORMATION - conn=-1 op=-1 msgId=-1 - mapping tree release backend : frontend-internal
[13/Aug/2007:12:00:56 +1200] - INFORMATION - roles-plugin - conn=-1 op=-1 msgId=-1 - => roles_filter_rewriter_cleanup
[13

LDAP setup with SSL - Can't use tls auth type

I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
Jay

When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts).

Ldap client in Solaris using TLS

I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
My LDAP clients are
- Linux (redhat and mandriva)
- Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
- Tru64 (5.1B)
If a use simple authentification all works fine (search in LDAP,
authentification and automount).
However, when I use TLS the Solaris LDAP client doesn't seem to work.
When I run the LDAP client the process freeze
With my Linux and Tru64 clients all work fine using LS.
I have downloaded the certificates from my LDAP server using Netscape browser.
I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
"chmod 644" in this files.
I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
The last logs of the ldap_cachemgr are:
Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
If I do a truss when I launch the client the
result was this:
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
This is my ldap_client_file:
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= srvldap
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= tls_profile
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
Does anyone have an idea on getting Solaris using TLS/SSL?
Thanks.

LDAP Setup and Configuration Guide
Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
[http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
Download this book in PDF (557 KB)
[http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

Using tls:sasl/DIGEST-MD5 with client authentication

Hi
Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
These work with ldapsearch with -Z -p options to get data securely through port 636.
But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
i get :
Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
Must i use Certificate based Authentication instead?
Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?

Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
Client configured with this:
ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
Profile:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 172.18.2.19
NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
NS_LDAP_AUTH= sasl/DIGEST-MD5
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
messages log on client:
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
Jan 14 08:00:32 panzer last message repeated 1 time
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
error log on server:
[14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
[14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
[14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
Not sure why i get Invalid credentials, the passwords
are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

Dsee 6.2, idsconfig, vlv index processing problems

Hey Folks,
I ran into a problem where the idsconfig script failed on creating 4 vlvindex entries. I had to modify the script to allow me to troubleshoot the problem. I ended up fixing the problem manually, but I'm still not to sure why it happened to begin with. It seems like a race condition, but i could be dead wrong. I thought it might have been the way I answered the idsconfig questions but I went over it quite a bit. This post may be a bit long, but I want to provide enough information.
- Solaris 10 08/07 fully patched (using smpatch) as of 1/10/2008
- DSEE 6.2
- idsconfig that comes bundled with Solaris 10 08/07
- All this is being done inside a logical domain (ldom) on a T2000 using a file image as a disk
The first thing I did was make the following modifications to the idsconfig script so it would not exit on error while adding vlv index entries, and also commented out the cleanup process so I could view the temp file created by idsconfig
Original Code from the add_vlv_indexes() function:
         # Add the index.
         ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
         if [ $? -ne 0 ]; then
             ${ECHO} " ERROR: Adding VLV index for ${i} failed!"
             cleanup
             exit 1
         fiSame code, after my modifications:
         # Add the index.
         ${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
         if [ $? -ne 0 ]; then
             ${ECHO} " ERROR: Adding VLV index for ${i} failed!"
             #cleanup
             #exit 1
         fiHere is the full output of the way I used idsconfig to configure the directory:
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the JES Directory Server's hostname to setup: machinename-ldom1
Enter the port number for iDS (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [example.edu]
Enter LDAP Base DN (h=help): [dc=example,dc=edu]
Checking LDAP Base DN ...
Validating LDAP Base DN and Suffix ...
sasl/GSSAPI is not supported by this LDAP server
Enter the profile name (h=help): [default]
Default server list (h=help): [10.1.8.15]
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
4 self
5 self proxy
6 self proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
6 sasl/GSSAPI
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n]
Do you want to setup a Service Authentication Methods (y/n/h)? [n] y
Do you want to setup a Service Auth. Method for "pam_ldap" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: pam_ldap:simple
Do you want to add another Authentication Method? n
Do you want to setup a Service Auth. Method for "keyserv" (y/n/h)? [n]
Do you want to setup a Service Auth. Method for "passwd-cmd" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: passwd-cmd:simple
Do you want to add another Authentication Method? n
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] n
                  Summary of Configuration
1 Domain to serve               : example.edu
2 Base DN to setup              : dc=example,dc=edu
3 Profile name to create        : default
4 Default Server List           : 10.1.8.15
5 Preferred Server List         :
6 Default Search Scope          : one
7 Credential Level              : proxy
8 Authentication Method         : simple
9 Enable Follow Referrals       : FALSE
10 iDS Time Limit                :
11 iDS Size Limit                :
12 Enable crypt password storage : FALSE
13 Service Auth Method pam_ldap : pam_ldap:simple
14 Service Auth Method keyserv   :
15 Service Auth Method passwd-cmd: passwd-cmd:simple
16 Search Time Limit             : 30
17 Profile Time to Live          : 43200
18 Bind Limit                    : 10
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=edu] uid=admin-user,ou=People,dc=example,dc=edu
Enter passwd for proxyagent:
Re-enter passwd:
ERROR: passwords don't match; try again.
Enter passwd for proxyagent:
Re-enter passwd:
WARNING: About to start committing changes. (y=continue, n=EXIT) y
1. Schema attributes have been updated.
2. Schema objectclass definitions have been added.
3. NisDomainObject added to dc=example,dc=edu.
4. Top level "ou" containers complete.
5. automount maps: auto_home auto_direct auto_master auto_shared processed.
6. ACI for dc=example,dc=edu modified to disable self modify.
7. Add of VLV Access Control Information (ACI).
8. Proxy Agent uid=admin-user,ou=People,dc=example,dc=edu already exists.
9. Give uid=admin-user,ou=People,dc=example,dc=edu read permission for password.
10. Generated client profile and loaded on server.
11. Processing eq,pres indexes:
          uidNumber (eq,pres)   Finished indexing.
          ipNetworkNumber (eq,pres)   Finished indexing.
          gidnumber (eq,pres)   Finished indexing.
          oncrpcnumber (eq,pres)   Finished indexing.
          automountKey (eq,pres)   Finished indexing.
12. Processing eq,pres,sub indexes:
          ipHostNumber (eq,pres,sub)   Finished indexing.
          membernisnetgroup (eq,pres,sub)   Finished indexing.
          nisnetgrouptriple (eq,pres,sub)   Finished indexing.
13. Processing VLV indexes:
          example.edu.getgrent vlv_index   Entry created
          example.edu.gethostent vlv_index   Entry created
          example.edu.getnetent vlv_index   Entry created
ERROR: Adding VLV index for example.edu.getpwent failed!
          example.edu.getpwent vlv_index   Entry created
          example.edu.getrpcent vlv_index   Entry created
ERROR: Adding VLV index for example.edu.getspent failed!
          example.edu.getspent vlv_index   Entry created
          example.edu.getauhoent vlv_index   Entry created
ERROR: Adding VLV index for example.edu.getsoluent failed!
          example.edu.getsoluent vlv_index   Entry created
ERROR: Adding VLV index for example.edu.getauduent failed!
          example.edu.getauduent vlv_index   Entry created
          example.edu.getauthent vlv_index   Entry created
          example.edu.getexecent vlv_index   Entry created
          example.edu.getprofent vlv_index   Entry created
          example.edu.getmailent vlv_index   Entry created
          example.edu.getbootent vlv_index   Entry created
          example.edu.getethent vlv_index   Entry created
          example.edu.getngrpent vlv_index   Entry created
          example.edu.getipnent vlv_index   Entry created
          example.edu.getmaskent vlv_index   Entry created
          example.edu.getprent vlv_index   Entry created
          example.edu.getip4ent vlv_index   Entry created
          example.edu.getip6ent vlv_index   Entry created
idsconfig: Setup of iDS server machinename-ldom1 is complete.
Note: idsconfig has created entries for VLV indexes. Use the
          directoryserver(1m) script on machinename-ldom1 to stop
          the server and then enter the following vlvindex
          sub-commands to create the actual VLV indexes:
directoryserver -s inst_name vlvindex -n example -T example.edu.getgrent
directoryserver -s inst_name vlvindex -n example -T example.edu.gethostent
directoryserver -s inst_name vlvindex -n example -T example.edu.getnetent
directoryserver -s inst_name vlvindex -n example -T example.edu.getpwent
directoryserver -s inst_name vlvindex -n example -T example.edu.getrpcent
directoryserver -s inst_name vlvindex -n example -T example.edu.getspent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauhoent
directoryserver -s inst_name vlvindex -n example -T example.edu.getsoluent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauduent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauthent
directoryserver -s inst_name vlvindex -n example -T example.edu.getexecent
directoryserver -s inst_name vlvindex -n example -T example.edu.getprofent
directoryserver -s inst_name vlvindex -n example -T example.edu.getmailent
directoryserver -s inst_name vlvindex -n example -T example.edu.getbootent
directoryserver -s inst_name vlvindex -n example -T example.edu.getethent
directoryserver -s inst_name vlvindex -n example -T example.edu.getngrpent
directoryserver -s inst_name vlvindex -n example -T example.edu.getipnent
directoryserver -s inst_name vlvindex -n example -T example.edu.getmaskent
directoryserver -s inst_name vlvindex -n example -T example.edu.getprent
directoryserver -s inst_name vlvindex -n example -T example.edu.getip4ent
directoryserver -s inst_name vlvindex -n example -T example.edu.getip6entSince I still had the temp files to look through I was able to find out what entries where not created, and manually added them myself without problems.
The four entries were:
ERROR: Adding VLV index for example.edu.getpwent failed!
ERROR: Adding VLV index for example.edu.getspent failed!
ERROR: Adding VLV index for example.edu.getsoluent failed!
ERROR: Adding VLV index for example.edu.getauduent failed!I then was able to run the following commands successfully:
dsadm reindex -l -t example.edu.getgrent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.gethostent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getnetent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getrpcent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getspent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getsoluent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauduent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauthent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getexecent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getprofent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getmailent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getbootent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getethent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getngrpent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getipnent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getmaskent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getprent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getip4ent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getip6ent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=eduIm really not sure why I ran into this problem, and was hoping someone would be able to shine some light on something that i possibly could have done wrong. I have read blogs about others running this script on dsee 6.x successfully, so thinking its a bug doesn't seem right.
If anyone wants me to test something or provide more info, i'd be happy to.
Thanks for reading,
Deejam
Edited by: Deejam on Jan 14, 2008 3:44 PM
Edited by: Deejam on Jan 14, 2008 7:57 PM

Thanks for the response. Sorry about not including the logs. I should have. I have gathered the full logs during the time idsconfig was trying to add the vlvindex entries. I did see that there where a few err=32 codes on the ADD operations on the entries that I had to add manually.
Here is one thing I did notice when I was adding the 4 entries manually. In each of the ldif files idsconfig creates, there are 2 entries as in the following example.
dn: cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvSearch
cn: example.edu_passwd_vlv_index
vlvbase: ou=people,dc=example,dc=edu
vlvscope: 1
vlvfilter: (objectClass=posixAccount)
aci: (target="ldap:///cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
cn: example.edu.getpwent
vlvSort: cn uid
objectclass: top
objectclass: vlvIndex After idsconfig was done running the entry with the dn of "dn: cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" was created, but the "dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm" was not created.
This is weird because according to the logs (if i am reading them right) the add operation for the dn that was actually created seemed like it failed.
[14/Jan/2008:14:34:34 -0600] conn=115 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33406 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - ADD dn="cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=-1 - closing from 192.168.1.1:33406 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=115 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:35 -0600] conn=115 op=-1 msgId=-1 - closed.So in fixing it manually I just fed an ldif file that looked like the following:
dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: example.edu.getpwent
vlvSort: cn uid
objectclass: top
objectclass: vlvIndexThanks again for the help, and as mentioned before, i will be happy to test, or provide more information,
Deejam
Here are the logs as mentioned above.
[14/Jan/2008:14:34:33 -0600] conn=108 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33399 to 192.168.1.1
[14/Jan/2008:14:34:33 -0600] conn=108 op=0 msgId=1 - SRCH base="cn=example.edu.getgrent,cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:33 -0600] conn=108 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:33 -0600] conn=108 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:33 -0600] conn=108 op=1 msgId=-1 - closing from 192.168.1.1:33399 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:33 -0600] conn=109 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33400 to 192.168.1.1
[14/Jan/2008:14:34:33 -0600] conn=108 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:33 -0600] conn=109 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:33 -0600] conn=109 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:33 -0600] conn=109 op=1 msgId=2 - ADD dn="cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:33 -0600] conn=109 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:33 -0600] conn=109 op=2 msgId=3 - ADD dn="cn=example.edu.getgrent,cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=109 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:34 -0600] conn=109 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=109 op=3 msgId=-1 - closing from 192.168.1.1:33400 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=110 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33401 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=109 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=110 op=0 msgId=1 - SRCH base="cn=example.edu.gethostent,cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=110 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=110 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=110 op=1 msgId=-1 - closing from 192.168.1.1:33401 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=111 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33402 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=110 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=111 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=111 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=111 op=1 msgId=2 - ADD dn="cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=111 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=111 op=2 msgId=3 - ADD dn="cn=example.edu.gethostent,cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=111 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=111 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=111 op=3 msgId=-1 - closing from 192.168.1.1:33402 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=112 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33403 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=111 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=112 op=0 msgId=1 - SRCH base="cn=example.edu.getnetent,cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=112 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=112 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=112 op=1 msgId=-1 - closing from 192.168.1.1:33403 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=113 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33404 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=112 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=113 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=113 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=113 op=1 msgId=2 - ADD dn="cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=113 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=113 op=2 msgId=3 - ADD dn="cn=example.edu.getnetent,cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=113 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=113 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=113 op=3 msgId=-1 - closing from 192.168.1.1:33404 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=114 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33405 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=113 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=114 op=0 msgId=1 - SRCH base="cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=114 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=114 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=114 op=1 msgId=-1 - closing from 192.168.1.1:33405 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=115 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33406 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=114 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - ADD dn="cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=-1 - closing from 192.168.1.1:33406 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=115 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:35 -0600] conn=116 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33407 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=115 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=116 op=0 msgId=1 - SRCH base="cn=example.edu.getrpcent,cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=116 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=116 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=116 op=1 msgId=-1 - closing from 192.168.1.1:33407 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=117 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33408 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=116 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=117 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=117 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=117 op=1 msgId=2 - ADD dn="cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=117 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=117 op=2 msgId=3 - ADD dn="cn=example.edu.getrpcent,cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=117 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=117 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=117 op=3 msgId=-1 - closing from 192.168.1.1:33408 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=118 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33409 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=117 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=118 op=0 msgId=1 - SRCH base="cn=example.edu.getspent,cn=example.edu_shadow_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=118 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=118 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=118 op=1 msgId=-1 - closing from 192.168.1.1:33409 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=119 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33410 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=118 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=119 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=119 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - ADD dn="cn=example.edu_shadow_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=119 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=119 op=2 msgId=-1 - closing from 192.168.1.1:33410 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=120 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33411 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=119 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=120 op=0 msgId=1 - SRCH base="cn=example.edu.getauhoent,cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=120 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=120 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=120 op=1 msgId=-1 - closing from 192.168.1.1:33411 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=121 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33412 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=120 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=121 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=121 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=121 op=1 msgId=2 - ADD dn="cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=121 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=121 op=2 msgId=3 - ADD dn="cn=example.edu.getauhoent,cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=121 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=121 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=121 op=3 msgId=-1 - closing from 192.168.1.1:33412 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=122 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33413 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=121 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=122 op=0 msgId=1 - SRCH base="cn=example.edu.getsoluent,cn=example.edu_solu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=122 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=122 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=122 op=1 msgId=-1 - closing from 192.168.1.1:33413 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=123 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33414 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=122 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=123 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=123 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - ADD dn="cn=example.edu_solu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=123 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=123 op=2 msgId=-1 - closing from 192.168.1.1:33414 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=124 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33415 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=123 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=124 op=0 msgId=1 - SRCH base="cn=example.edu.getauduent,cn=example.edu_audu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=124 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=124 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=124 op=1 msgId=-1 - closing from 192.168.1.1:33415 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=125 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33416 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=124 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=125 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=125 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - ADD dn="cn=example.edu_audu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=125 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=125 op=2 msgId=-1 - closing from 192.168.1.1:33416 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=126 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33417 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=125 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=126 op=0 msgId=1 - SRCH base="cn=example.edu.getauthent,cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=126 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=126 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=126 op=1 msgId=-1 - closing from 192.168.1.1:33417 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=127 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33418 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=126 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=127 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=127 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=127 op=1 msgId=2 - ADD dn="cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=127 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=127 op=2 msgId=3 - ADD dn="cn=example.edu.getauthent,cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=127 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=127 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=127 op=3 msgId=-1 - closing from 192.168.1.1:33418 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=128 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33419 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=127 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=128 op=0 msgId=1 - SRCH base="cn=example.edu.getexecent,cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=128 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=128 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=128 op=1 msgId=-1 - closing from 192.168.1.1:33419 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=129 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33420 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=128 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=129 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:37 -0600] conn=129 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:37 -0600] conn=129 op=1 msgId=2 - ADD dn="cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=129 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=129 op=2 msgId=3 - ADD dn="cn=example.edu.getexecent,cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=129 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=129 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=129 op=3 msgId=-1 - closing from 192.168.1.1:33420 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=130 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33421 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=129 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=130 op=0 msgId=1 - SRCH base="cn=example.edu.getprofent,cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:37 -0600] conn=130 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=130 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=130 op=1 msgId=-1 - closing from 192.168.1.1:33421 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=131 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33422 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=130 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=131 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:37 -0600] conn=131 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:37 -0600] conn=131 op=1 msgId=2 - ADD dn="cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=131 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=131 op=2 msgId=3 - ADD dn="cn=example.edu.getprofent,cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=131 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=131 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=131 op=3 msgId=-1 - closing from 192.168.1.1:33422 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=132 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33423 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=131 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=132 op=0 msgId=1 - SRCH base="cn=example.edu.getmailent,cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:37 -0600] conn=132 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=132 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=132 op=1 msgId=-1 - closing from 192.168.1.1:33423 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=133 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33424 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=132 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=133 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:38 -0600] conn=133 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:38 -0600] conn=133 op=1 msgId=2 - ADD dn="cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=133 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=133 op=2 msgId=3 - ADD dn="cn=example.edu.getmailent,cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=133 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=133 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=133 op=3 msgId=-1 - closing from 192.168.1.1:33424 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=134 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33425 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=133 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=134 op=0 msgId=1 - SRCH base="cn=example.edu.getbootent,cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:38 -0600] conn=134 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=134 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=134 op=1 msgId=-1 - closing from 192.168.1.1:33425 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=135 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33426 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=134 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=135 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:38 -0600] conn=135 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:38 -0600] conn=135 op=1 msgId=2 - ADD dn="cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=135 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=135 op=2 msgId=3 - ADD dn="cn=example.edu.getbootent,cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=135 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=135 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=135 op=3 msgId=-1 - closing from 192.168.1.1:33426 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=136 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33427 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=135 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=136 op=0 msgId=1 - SRCH base="cn=example.edu.getethent,cn=example.edu_ethers_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:38 -0600] conn=136 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=136 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=136

Pam.conf does not use ldap for password length check when changing passwd

I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AM

you can try passwd -r ldap for changing the ldap passwds...

Using A 3rd Part SSL Certificate on DS 6.3

Hello,
I have a DS 6.3 server whose purpose is to authenticate Solaris 10 clients. All of my clients have been configured to communicate with the DS 6.3 server via SSL/TLS on port 636. To do this, I simply copied the slapd-cert8.db, slapd-key3.db and secmod.db files from the alias directory on the DS 6.3 server to the /var/ldap directory on each client. After renaming the files (removing the slapd- from the name) and configuring each client to bind using tls:simple, via a profile, things work just fine.
However.....
I used the default certificate generated by DS 6.3 during the install of the product. Unfortunately this certificate is signed with weak algorithms, and failed an audit. I have tried replacing the certificate with a GoDaddy 3rd party cert, and a self-signed certificate created using openssl, but as soon as I copy the cert8/key3 databases to the client as described above, the client can no longer connect to the server. I've added the server cert from GoDaddy as well as their root cert using both the dsadm tools and the certutil tools. I've done the same with the certs that I generated via openssl. In both cases, the only error message I receive on the client is the "libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server". Yet if I go back to using the default certificate generated by DS 6.3, everything works just fine.
Can anyone help with this?
Thanks in advance...

As you indicated, name resolution was the problem again, but in a different way. When I had the DS server configured to use my self-signed cert, I had the following entry in /etc/nsswitch.conf on my ldap client:
hosts: ldap [NOTFOUND=continue] files
Once I switched the DS server to using the 3rd Party (GoDaddy) cert, I was unable to ping the DS server by its FQDN, despite having that entry in my hosts file. I had to switch the /etc/nsswitch.conf on the client to look like this:
hosts: files [NOTFOUND=continue] ldap
Once I had done this, I was able to access the DS server from the client using the GoDaddy cert.
I tried this same configuration on another DS server and ran into one additional problem. this new DS server had some of the ciphers disabled per recommendation by our auditors. I could not my client to connect until I reconfigured the server to use all available ciphers. How can I tell which ciper the client and server want to use when communicating, so that I don't disable it? Is there any way to configure which cipher is used for SSL communication?
Thanks very much for your assistance

Native ldap client doesn't work with an openldap Server : No root DSE data

Hello!
My configuration :
- an openldap 2.2.23 server (linux debian) (server name = serv_annu)
- a ldap client (solaris 10) (server name = client_annu)
I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
FROM CLIENT_ANNU:
+# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
version: 1
dn: dc=mydomain,dc=fr
dc: mydomain
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: nisDomainObject
nisDomain: mydomain.fr
o: mydomain
LOG FROM SERVER_ANNU:
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
3) I Add ACL in slapd.conf to allow reading of rootDSE.
access to dn.base="" by ssf=128 * read
4) I launch on my solaris client
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
+# ldapclient list+
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
+NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
NS_LDAP_SERVERS= server_annu
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
NS_LDAP_AUTH= tls:simple
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
FROM CLIENT_ANNU:
svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
+/etc/init.d/nscd stop;/etc/init.d/nscd start+
LOG FROM SERVER_ANNU:
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
FROM CLIENT ANNU :
+# /usr/lib/ldap/ldap_cachemgr -g+
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2008/04/02 09:58:12
Next refresh time: 2008/04/02 21:58:12
Server information:
Previous refresh time: 2008/04/02 09:58:32
Next refresh time: 2008/04/02 09:58:33
server: server_annu, status: ERROR
error message: No root DSE data returned.*
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
My problem is why I get the following error message : No root DSE data returned.
Thanks in advance for your help!

Hi
Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
Regards,
Ludovic.

Tls:simple

Similar Messages

Maybe you are looking for