LDAP broke after patching


 
Thread Tools Search this Thread
Operating Systems Solaris LDAP broke after patching
# 1  
Old 05-19-2017
LDAP broke after patching

Greetings...My first post here...
I am facing issue on a x86 Solaris server, running on VMWare. We have to install latest patch cluster. I took a snapshot (on VMWare side), so we have backup copy. Downloaded and installed latest patch cluster. Post patching, I am not able to login on server with any non-root user (LDAP user). Since, this server is not in support, I an not expect Oracle's help on this. I am not sure, which patch broke authentication mechanism.
In second attempt, I restored snapshot and this time I commented "possible culprit" patches in patch_order as below
Code:
cat 10_x86_Recommended.README | egrep -i "tls|pam|ssl|java|ldap"
120100-08
148072-19
151913-09
121212-02
122471-03
138767-01
141105-04
144910-03
147674-11
148050-04
148694-01
150120-04
150546-02
151915-07
152078-51
152079-51
152098-41
152099-41
152101-31

I applied patch cluster and it again came in same state.
Code:
From /var/adm/messages :-
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-est-wks1.acme.com
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-wst-wks1.acme.com

-bash-3.2# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ngtdr-zonemgr2,ou=Hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BINDPASSWD= {NS1}a1a2a3a4a5a6a7a8a9a10a11a11
NS_LDAP_SEARCH_BASEDN= dc=pre,dc=acme,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= npsec-wst-wks1.acme.com, npsec-est-wks1.acme.com
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= ngtdr-zonemgr2
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,?one?
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,?one?
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,?one?
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,?one?isMemberOf=cn=ngtdr-zonemgr2,ou=hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BIND_TIME= 10
-bash-3.2# ldaplist
ldaplist: Object not found (Session error no available conn.
)
-bash-3.2#

I am not able to figure out, which patch is creating this problem so I can exclude that. Can somebody help me with this troubleshooting

Thanks in advance

Last edited by Scrutinizer; 05-20-2017 at 02:32 AM.. Reason: Anonymized data
# 2  
Old 05-20-2017
Not a direct answer to your question,

Perhaps after the client upgrade, a ssl/tls protocol version that was previously being used to communicate with the server, became obsolete, so it is forced to use a newer protocol.
  • Perhaps the server does not speak the newer protocol, or
  • The server certificate is not installed for the newer protocol.
  • The client needs to update to a newer root certificate..

Just a few loose thought..
# 3  
Old 05-20-2017
Which Solaris version is it?

This documentation from Oracle for Solaris 5.10 says (further down the page) that the X86 patch number is 150378.

https://getupdates.oracle.com/readme/README.150377-05

https://getupdates.oracle.com/readme/150378-04

Last edited by hicksd8; 05-20-2017 at 01:33 PM..
# 4  
Old 05-20-2017
It is Solaris 10 x86 version. To avoid installing those packages, I commented below patches.
Code:
cat 10_x86_Recommended.README | egrep -i "tls|pam|ssl|java|ldap"

But it seems they are not culprit. It is some other patch(es), which is making these changes. Tried checking ssh too. 148105-23 is part of patch cluster, but was never installed. It was already there on server since long time, so it was skipped.
Code:
-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep ssh
148105-23  Obsoleted by: 148105-24 SunOS 5.10_x86: last, ssh/sshd patch
-bash-3.2# ls -l /var/sadm/patch/ | grep 148105
drwxr-xr-x   2 root     root           6 Aug 20  2014 148105-11
-bash-3.2#

150378 is not part of patch cluster.
I am trying to find from README, which more patches can be culprit. I am also assuming that it is not direct patch, but may be some patch is modifying any library (such as pam), which is breaking it.
-----------------------------------------------------------------------------
Its solved. It was 119214-33 patch, which created this issue. If somebody can guide me, what could have the issue, it would be good learning.
Code:
-bash-3.2# cat /var/tmp/10_x86_Recommended/10_x86_Recommended.README | grep 119214-33
119214-33  NSS_NSPR_JSS 3.21_x86: NSPR 4.11 / NSS 3.21 / JSS 4.3.2
-bash-3.2#


Last edited by ron323232; 05-20-2017 at 10:17 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

2. Solaris

Ssh connection broke after patching

Hi, I have a user - e3t3user on two Solaris-10 servers. We did patching source server and after that e3t3user is not able to ssh from one server to another. Passwordless ssh connection is setup between both servers (with ssh keys share). I am not able to figure out, where it is failing. Here is... (1 Reply)
Discussion started by: solaris_1977
1 Replies

3. AIX

X Forwarding broke

X Forwarding has quit working on only 2 of our AIX Servers. ssh -X -vvv host That shows it requesting the X11 forward auth spoofing. No errors. echo $DISPLAY shows the display variable However when I execute xclock.... nothing... Kinda like it just hangs and for some reasons it does... (1 Reply)
Discussion started by: Gibby13
1 Replies

4. Shell Programming and Scripting

Have a find/replace perl script thats broke

Hello Folks, #!/usr/bin/perl use File::Find; open F,shift or die $!; my %ip=map/(\S+)\s+(\S+)/,<F>; close F; find sub{ if( -f ){ local @ARGV=($_); local $^I=""; while( <> ){ !/#/ && s/(\w+)\.fs\.rich\.us/$ip{$1}/g; print; } }... (8 Replies)
Discussion started by: richsark
8 Replies

5. AIX

disks broke?

hay I'm new in the AIX-environment. Right now i'm testing some stuff out. But i can't test the LVM-part which is (to me) very important. I have 2 disks in my testmachine but it seems only 1 is working wel. I'll show you the output below of the disks... hdisk0 = in good condition hdisk2 =... (8 Replies)
Discussion started by: kvanelshocht
8 Replies

6. UNIX for Advanced & Expert Users

i broke CDE

i honestly dont know what i did... considering i did many things... but now when i run a tightvnc session, i don't get the CDE desktop anymore, i get something that looks like an empty screen with a single terminal window... to make things worse, i can't do anything with that terminal window. it... (2 Replies)
Discussion started by: xyyz
2 Replies

7. UNIX for Dummies Questions & Answers

Changed the hostname/IP and broke it (AIX)

A buddy of mine bought an older RS/6000 CAD workstation runing AIX to learn on, and had me put it on his LAN at home. I used smit to change the hostname/IP. After a reboot I try to login, and get a message saying that DTMessage cannot start, and gives a changed hostname as one of the possible... (3 Replies)
Discussion started by: 98_1LE
3 Replies

8. UNIX for Dummies Questions & Answers

I think I broke it....

I was trying to install gcc on my solaris 2.6 box... and I kept encountering an error that was probably due to the lack of allocated space to the /var/spool/pkg... For some reason... I'm still trying to figure this out... I make symbolic links to every instace of /spool I could find... I then... (3 Replies)
Discussion started by: xyyz
3 Replies
Login or Register to Ask a Question