Having trouble getting pam_ldap to work properly with Solaris. The only
way I can become one of the users in LDAP is to first become root, and
then su to that user. I cannot su from a non-LDAP user to an LDAP user,
and cannot ssh in as an LDAP user.
ldapsearch -ZZ works perfectly -- returns all entrires in the LDAP DB,
regardless of who called it (LDAP user, regular user, root, etc)..
su: Root can su to any user in the LDAP database
Non-root users receive the message "su: Unknown id: johndoe"
getent passwd: returns passwd file, include LDAP entries, for all
root/local
users -- but NOT when called by LDAP users
Looking in /var/log/authlog when a normal user attempts to su to root, I
see the following entry:
Feb 25 19:07:17 name su: pam_ldap: ldap_starttls_s: Connect error
Feb 25 19:07:20 name su: pam_ldap: ldap_result Can't contact LDAP server
I have installed a random number device (otherwise the ldapsearch wouldn't
work), and have /etc/ldap.conf setup as follows:
URI LDAP://ip_of_server
BASE dc=correct,dc=base,dc=com
HOST ip_of_server
port 389
ldap_version 3
ssl start_tls
pam_password exop
suffix "dc=correct,dc=base,dc=com"
rootdn "uid=root_user,ou=People,dc=correct,dc=base,dc=com"
rootpw {crypt}uhm...yeah,.right.;)
This version of the config file is IDENTICAL to the file on our Linux
boxes, which work flawlessly. Btw, /etc/openldap is symlinked to
/usr/local/etc/openldap, and /usr/local/etc/openldap/ldap.conf is
symlinked to /etc/ldap.conf and just for kicks, /usr/local/etc/ldap.conf
is also symlinked to /etc/ldap.conf -- so /etc/ldap.conf is the file that
everything is looking at. /etc/nsswitch.conf contains the following
lines:
passwd: files ldap
shadow: files ldap
group: files ldap
and /etc/pam.conf is:
#
# Authentication mgmt
#
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account mgmt
#
other account sufficient /usr/lib/security/pam_ldap.so.1 debug
other account required /usr/lib/security/pam_unix.so.1
#
# Password mgmt
#
other password sufficient /usr/lib/security/pam_ldap.so.1 debug
other password required /usr/lib/security/pam_unix.so.1
try_first_pass
#
# Session mgmt
#
other session required /usr/lib/security/pam_unix.so.1
I initially investigated TLS/SSL issues, reading the error message to read
this but the fact that the majority of operations work suggests that
perhaps the error is misleading.
Versions:
Solaris 7
nss_ldap 184
pam_ldap 138
OpenLDAP 2.0.19
OpenSSL 0.9.6b
Any thoughts on why this isn't working? Is there anybody out there who
HAS successfully gotten LDAP authentical with TLS to work on Solaris 7?!?!
Pulling my hair out..this project is already way overdue :(
Thanks in advance
chris
Attachment:
pgp00040.pgp
Description: PGP signature
