LDAP broke after patching Post: 302997812

Sponsored Content

Operating Systems Solaris LDAP broke after patching Post 302997812 by ron323232 on Friday 19th of May 2017 09:56:16 PM

05-19-2017

Registered User

LDAP broke after patching

Greetings...My first post here...
I am facing issue on a x86 Solaris server, running on VMWare. We have to install latest patch cluster. I took a snapshot (on VMWare side), so we have backup copy. Downloaded and installed latest patch cluster. Post patching, I am not able to login on server with any non-root user (LDAP user). Since, this server is not in support, I an not expect Oracle's help on this. I am not sure, which patch broke authentication mechanism.
In second attempt, I restored snapshot and this time I commented "possible culprit" patches in patch_order as below

Code:

cat 10_x86_Recommended.README | egrep -i "tls|pam|ssl|java|ldap"
120100-08
148072-19
151913-09
121212-02
122471-03
138767-01
141105-04
144910-03
147674-11
148050-04
148694-01
150120-04
150546-02
151915-07
152078-51
152079-51
152098-41
152099-41
152101-31

I applied patch cluster and it again came in same state.

Code:

From /var/adm/messages :-
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 293258 daemon.warning] libsldap: Status: 91  Mesg: openConnection: simple bind failed - Can't connect to the LDAP server
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-est-wks1.acme.com
May 19 14:02:46 ngtdr-zonemgr2-data ldap_cachemgr[221]: [ID 545954 daemon.error] libsldap: makeConnection: failed to open connection to npsec-wst-wks1.acme.com

-bash-3.2# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ngtdr-zonemgr2,ou=Hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BINDPASSWD= {NS1}a1a2a3a4a5a6a7a8a9a10a11a11
NS_LDAP_SEARCH_BASEDN= dc=pre,dc=acme,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= npsec-wst-wks1.acme.com, npsec-est-wks1.acme.com
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= ngtdr-zonemgr2
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,?one?
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:ou=netgroup,?one?
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,?one?
NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=People,?one?
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,?one?isMemberOf=cn=ngtdr-zonemgr2,ou=hosts,dc=pre,dc=acme,dc=com
NS_LDAP_BIND_TIME= 10
-bash-3.2# ldaplist
ldaplist: Object not found (Session error no available conn.
)
-bash-3.2#

I am not able to figure out, which patch is creating this problem so I can exclude that. Can somebody help me with this troubleshooting

Thanks in advance

Last edited by Scrutinizer; 05-20-2017 at 02:32 AM.. Reason: Anonymized data

ron323232

View Public Profile for ron323232

Find all posts by ron323232

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

I think I broke it....

I was trying to install gcc on my solaris 2.6 box... and I kept encountering an error that was probably due to the lack of allocated space to the /var/spool/pkg... For some reason... I'm still trying to figure this out... I make symbolic links to every instace of /spool I could find... I then...

2. UNIX for Dummies Questions & Answers

Changed the hostname/IP and broke it (AIX)

A buddy of mine bought an older RS/6000 CAD workstation runing AIX to learn on, and had me put it on his LAN at home. I used smit to change the hostname/IP. After a reboot I try to login, and get a message saying that DTMessage cannot start, and gives a changed hostname as one of the possible...

3. UNIX for Advanced & Expert Users

i broke CDE

i honestly dont know what i did... considering i did many things... but now when i run a tightvnc session, i don't get the CDE desktop anymore, i get something that looks like an empty screen with a single terminal window... to make things worse, i can't do anything with that terminal window. it...

4. AIX

disks broke?

hay I'm new in the AIX-environment. Right now i'm testing some stuff out. But i can't test the LVM-part which is (to me) very important. I have 2 disks in my testmachine but it seems only 1 is working wel. I'll show you the output below of the disks... hdisk0 = in good condition hdisk2 =...

5. Shell Programming and Scripting

Have a find/replace perl script thats broke

Hello Folks, #!/usr/bin/perl use File::Find; open F,shift or die $!; my %ip=map/(\S+)\s+(\S+)/,<F>; close F; find sub{ if( -f ){ local @ARGV=($_); local $^I=""; while( <> ){ !/#/ && s/(\w+)\.fs\.rich\.us/$ip{$1}/g; print; } }...

6. AIX

X Forwarding broke

X Forwarding has quit working on only 2 of our AIX Servers. ssh -X -vvv host That shows it requesting the X11 forward auth spoofing. No errors. echo $DISPLAY shows the display variable However when I execute xclock.... nothing... Kinda like it just hangs and for some reasons it does...

7. Solaris

Ssh connection broke after patching

Hi, I have a user - e3t3user on two Solaris-10 servers. We did patching source server and after that e3t3user is not able to ssh from one server to another. Passwordless ssh connection is setup between both servers (with ssh keys share). I am not able to figure out, where it is failing. Here is...

8. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working...

LEARN ABOUT OSF1

ldap_cachemgr

ldap_cachemgr(1M)					  System Administration Commands					 ldap_cachemgr(1M)

NAME

       ldap_cachemgr - LDAP daemon to manage client configuration for LDAP based Network Information Service lookups

SYNOPSIS

       /usr/lib/ldap/ldap_cachemgr [-l	log-file] [-g]

DESCRIPTION

       The ldap_cachemgr daemon is a process that provides an up-to-date configuration cache for LDAP naming services. It is started during multi-
       user boot.

       The ldap_cachemgr utility provides caching for all parameters as specified and used by the LDAP naming service clients.	The  ldap_cachemgr
       utility	uses  the  cache  files which are originally created by executing the ldapclient(1M) utility, as cold start files.  Updates to the
       cache files take place dynamically if profiles are used to configure the client. See the init option to ldapclient(1M).

       The ldap_cachemgr utility helps improve the performance of the clients that are using LDAP as the Naming service repository.  In order  for
       the  LDAP  naming  services to function	properly, the ldap_cachemgr daemon must be running. ldap_cachemgr also improves system security by
       making the configuration files readable by superuser only.

       The cache maintained by this daemon is shared by all the processes that access LDAP Naming information.	All processes  access  this  cache
       through	a  door call.  On startup, ldap_cachemgr initializes the cache from the cache files. See ldapclient(1M).  Thus, the cache survives
       machine reboots.

       The ldap_cachemgr daemon also acts as its own administration tool.  If an instance of ldap_cachemgr is already running, commands are passed
       transparently to the running version.

OPTIONS

       The following options are supported:

       -g		       Print current configuration and statistics to standard output. This is the only option executable without superuser
			       privileges.

       -l log-file	       Cause ldap_cachemgr to use a log file other than the default /var/ldap/cachemgr.log.

EXAMPLES

       Example 1: Stopping and Restarting the ldap_cachemgr Daemon

       The following example shows how to stop and to restart the ldap_cachemgr daemon.

       example# svcadm enable network/ldap/client
       example# svcadm disable network/ldap/client

       Example 2: Forcing ldap_cachemgr to Reread the /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred Files

       The following example shows how to force ldap_cachemgr to reread the /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred files

       example# pkill -HUP ldap_cachemgr

FILES

       /var/ldap/cachemgr.log	       Default log file.

       /var/ldap/ldap_client_file      Files containing the LDAP configuration of the client. These files are not to be modified  manually.  Their
       /var/ldap/ldap_client_cred      content is not guaranteed to be human readable.	Use ldapclient(1M) to update these files.

WARNINGS

       The  ldap_cachemgr  utility  is	included  in  the Solaris 9 release on an uncommitted  basis only. It is subject to change or removal in a
       future minor release.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWnisu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ldap(1), ldapadd(1), ldapdelete(1), ldaplist(1), ldapmodify(1), ldapmodrdn(1), ldapsearch(1),  pkill(1),  svcs(1),  idsconfig(1M),  ldapad-
       dent(1M), ldapclient(1M), suninstall(1M), svcadm(1M), signal.h(3HEAD), resolv.conf(4), attributes(5), smf(5)

NOTES

       The ldap_cachemgr service is managed by the service management facility, smf(5), under the service identifier:

       svc:/network/ldap/client

       Administrative  actions	on  this  service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). The ser-
       vice's status can be queried using the svcs(1) command.

SunOS 5.10							    1 Aug 2004							 ldap_cachemgr(1M)