Re: [389-users] How do I configure Solaris 10 as a LDAP client.

Carsten Grzemba <grzemba@xxxxxxxxxxxx> · Tue, 13 Dec 2011 19:13:15 +0100

For SSHA Passwords needs Solaris a proper pam configuration, for SSH especially the section :

other   auth requisite  pam_authtok_get.so.1
other   auth required   pam_dhkeys.so.1
other   auth required   pam_unix_cred.so.1
other   auth binding    pam_unix_auth.so.1 server_policy
other   auth required   pam_ldap.so.1

Because there are some variations in the config between the Solaris versions, the best source for the right stack is
# man pam_ldap

Carsten

Am 13.12.11, schrieb Arpit Tolani  <arpittolani@xxxxxxxxx>:Below are the configuration i configured, able to see the user in getent passwd output
see user in ldaplist output.

but cant login. it fails using ssh

bash-3.2# cat /etc/nsswitch.conf |grep -v "^#"

passwd:     files ldap

group:      files ldap
hosts: files dns # Added by DHCP
ipnodes: files dns # Added by DHCP
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files

publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:   user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

bash-3.2# cat /etc/pam.conf |grep -v "^#"
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1

login   auth required           pam_unix_auth.so.1

login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1

rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
rlogin  auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1

rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
rsh     auth required           pam_ldap.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1

ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1

ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1

other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other   auth required           pam_ldap.so.1
passwd  auth required           pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1

cron    account required        pam_unix_account.so.1
other   account sufficient      pam_ldap.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   session required        pam_unix_session.so.1

other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1

bash-3.2# cat /var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.122.155
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= sub

NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?sub

NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=example,dc=com?sub
NS_LDAP_BIND_TIME= 2

bash-3.2# cat /var/ldap/ldap_client_cred
NS_LDAP_BINDDN="cn=Directory Manager"
NS_LDAP_BINDPASSWD=redhat123

bash-3.2# /etc/init.d/ldap.client start
bash-3.2# svcadm enable network/ldap/client 
bash-3.2# /usr/lib/ldap/ldap_cachemgr -g  

bash-3.2# getent passwd test
test:x:1001:1001::/home/test:/bin/bash

bash-3.2# ldaplist -l passwd test
dn: uid=test,ou=People,dc=example,dc=com
        uidNumber: 1001
        sn: test
        gidNumber: 1001
        loginShell: /usr/bin/bash
        shadowMax: 99999

        objectClass: person

        objectClass: organizationalPerson
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: shadowAccount
        objectClass: top
        uid: test
        shadowLastChange: 12994

        cn: test
        homeDirectory: /home/test
        shadowWarning: 7
        userPassword: {SSHA}6qy0z4cffk6tZdbh0IaOSOJgAqlmCq/zCtAX+g==

-- 

Thanks & Regards
Arpit Tolani

--
Carsten Grzemba
Tel.:   +49 3677 64740
Mobil: +49 171 9749479
Fax::   +49 3677 6474111
Email: carsten.grzemba@xxxxxxxxxxxx
contac Datentechnik GmbH
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users