--- "Tay, Gary" <Gary_Tay at platts.com> wrote:
> 0) Make sure every time you restart /etc/init.d/ldap.client
> (ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache
> daemon).
well, I decided to turn off the nscd completely, while I'm testing.
> 1) Make sure you define "CRYPT" as the default passwordStorageScheme in
> LDAP DIT (right click cn=config and edit its properties).
yes.
> 2) Make sure you have these three lines in /var/ldap/ldap_client_file
> and also in "default" profile in LDAP DIT?
I have them in the ldap.client.file but the default profile looks like this:
# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
Am I missing anything? I don't have serviceSearchDescriptor but I think it should chain
ou=People+defaultSearchBase, right?
> And there is a "shadow: files ldap" line in /etc/nsswitch.conf.
yes.
> 4) Did you install a binary version of OpenSSH Server with PAM support
> or compile from source with an "./configure --with-pam" option?
it was a pkg:
bash-2.03# ldd /usr/local/sbin/sshd
libpam.so.1 => /usr/lib/libpam.so.1
> 6) For ssh client connection, do this way to see more:
>
> $ ssh -v testdba at 192.85.86.87
OK. This is me trying to a linux box under the FDS control:
cnyitsun01/ > ssh testdba at cnyitlin01
testdba at cnyitlin01's password:
Last login: Fri Aug 26 11:02:06 2005 from cnyitlin02.composers.foo.com
[testdba at cnyitlin01 ~]$
Works fine. Now, to the test sun box:
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
LDAP Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
And notice it's asking me for a separate ldap password. What's up with that?
Also, I ran this:
bash-2.03# ldapsearch -D "uid=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -w
password -h cnyitlin02 -s base -b "" "objectclass=*"
objectClass=top
namingContexts=dc=composers,dc=foo,dc=com
namingContexts=dc=example, dc=com
namingContexts=o=NetscapeRoot
supportedExtension=2.16.840.1.113730.3.5.7
supportedExtension=2.16.840.1.113730.3.5.8
[more crap...]
So, looks like the proxy id/password is correct....
I hate Solaris. It took me ONE MINUTE to get a linux client working. One command -
authconfig. This is just retarded.
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
