Hi, we've been using 389-ds running on RedHat7, our ldap clients are many devices and RedHat Linux, now we want to add Solaris 10/11. We have DUAProfile created and Solaris 11 ldap client initiation was successful, with command : "ldapclient -v init -a domainname=<example.com> -a profileName=solaris11 <server_ip>". The command "ldapclient list" show: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= <ldap-server> NS_LDAP_SEARCH_BASEDN= dc=<example>,dc=com NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 43200 NS_LDAP_PROFILE= solaris11 NS_LDAP_SERVICE_SEARCH_DESC= passwd:l=AMER,dc=<example>,dc=com?sub NS_LDAP_SERVICE_SEARCH_DESC= shadow:l=AMER,dc=<example>,dc=com?sub NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Groups,dc=<example>,dc=com?sub NS_LDAP_BIND_TIME= 10 NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount Some other relevant files' configurations are: # grep ldap /etc/nsswitch.conf passwd: files ldap group: files ldap netgroup: ldap automount: files ldap printers: user files ldap # cat /etc/pam.d/login auth requisite pam_authtok_get.so.1 debug auth required pam_dhkeys.so.1 debug auth required pam_unix_cred.so.1 debug #auth binding pam_unix_auth.so.1 server_policy auth sufficient pam_unix_auth.so.1 server_policy debug auth required pam_ldap.so.1 debug # cat /etc/pam.d/other | grep -v ^# | grep -v ^$ auth definitive pam_user_policy.so.1 debug auth requisite pam_authtok_get.so.1 debug auth required pam_dhkeys.so.1 debug auth required pam_unix_cred.so.1 debug auth sufficient pam_unix_auth.so.1 server_policy debug auth required pam_ldap.so.1 debug account requisite pam_roles.so.1 account definitive pam_user_policy.so.1 account required pam_unix_account.so.1 account required pam_tsol_account.so.1 session definitive pam_user_policy.so.1 session required pam_unix_session.so.1 password definitive pam_user_policy.so.1 password include pam_authtok_common password required pam_authtok_store.so.1 Unfortunately, LDAP client cannot SSH, the logs are sshd[2497]: [ID 293258 auth.warning] libsldap: Status: 50 Mesg: LDAP ERROR (50): Insufficient access. sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc = 1) sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL for user 'zare' sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1 sshd[2497]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate() sshd[2497]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd-kbdint zare), flags = 1 sshd[2497]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured sshd[2497]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed sshd[2497]: [ID 800047 auth.notice] Failed keyboard-interactive for zdudic from 10.211.55.1 port 52876 ssh2 sshd[2497]: [ID 717705 auth.debug] pam_user_policy: pam_sm_authenticate(flags = 0x1, argc = 1) sshd[2497]: [ID 771769 auth.debug] pam_user_policy: find_pam_policy: pam_policy = NULL for user 'zare' sshd[2497]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 1 Any help is appreciated, thanks. -- 389-users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
