Hi guys. First, sorry for my english, I´m tried to write the best form but sure I´m not do it.
I´m tried to configure the native ldap client on Solaris 10 but yet dosen't work. May be the problem is in the pam.conf or something like that.
This is the line I was applied to configure the ldapclient:
Code:
ldapclient -vv manual -a credentialLevel=proxy -a domainName=domine.com.ar -a proxyDN="cn=sultano,ou=userspecial,ou=user,o=sultano" -a proxyPassword='passwd' -a authenticationMethod=simple -a defaultSearchBase=ou=userspecial,ou=user,o=sultano 10.10.10.10:389
When I check the configure I see this:
Code:
-bash-3.2# ldapclient list
Unable to set locale.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=sultano,ou=userspecial,ou=user,o=sultano
NS_LDAP_BINDPASSWD= {NS1}f170edf81e61e0678pb320e1
NS_LDAP_SERVERS= 10.10.10.10:389
NS_LDAP_SEARCH_BASEDN= ou=userspecial,ou=user,o=sultano
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
-bash-3.2#
-bash-3.2# svcs -a | grep ldap
online 17:45:11 svc:/network/ldap/client:default
-bash-3.2#
May be the connection to the ldap server works fine:
#
# MODIFICADO LDAP
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_dial_auth.so.1
other auth required pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other password requisite pam_authtok_check.so.1 force_check
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
/etc/nsswitch.conf
Code:
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
#hosts: ldap [NOTFOUND=return] files # Commented out by DHCP
hosts: ldap dns [NOTFOUND=return] files # Added by DHCP
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
#ipnodes: ldap [NOTFOUND=return] files # Commented out by DHCP
ipnodes: ldap dns [NOTFOUND=return] files # Added by DHCP
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
I have no experience administering Solaris now and although I have read many guides and documentation to configure the ldap client does not work yet. Surely I'm doing something wrong to set it up.
Would greatly appreciate your help or any comments to solve.
Thanks
Last edited by sultano; 05-27-2014 at 12:21 PM..
Reason: typing error
@jlliagre, you right. When I´m tried to connect with some user to ssh I´m see this on the log:
Code:
May 28 12:18:54 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed none for ldapuser from 10.245.85.199 port 49557 ssh2
May 28 12:19:01 solaris-ldap sshd[673]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authenticating: Error de sistema
May 28 12:19:01 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapuser from 10.245.85.199 port 49557 ssh2
May 28 12:19:26 solaris-ldap sshd[673]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authenticating: Error de sistema
May 28 12:19:26 solaris-ldap sshd[673]: [ID 800047 auth.notice] Failed keyboard-interactive for ldapuser from 10.245.85.199 port 49557 ssh2
If I try to connect with the same user, using password in the /etc/passwd, user is connected correctly.. Have you any idea what do I wrong?
Thanks @jilliage and @bitlord and sorry for the delay.
First, I have no access to the ldap server so I can not check your logs
I check feedback, look back on this and then perform many tests with what I found. One option finally worked, the problem was the configuration of ldapclient.
I know nothing about how it works ldap but when I run with these parameters was able to connect properly.
Code:
ldapclient -vvv manual \
-a credentialLevel=proxy \
-a domainName=domine.com.ar \
-a proxyDN="cn=sultano,ou=userspecial,ou=user,o=sultano" \
-a proxyPassword='paswd' \
-a authenticationMethod=simple \
-a "serviceSearchDescriptor=passwd:ou=iduser,,ou=user,o=sultano?sub?(cn=*)" \
-a "serviceSearchDescriptor=shadow:ou=iduser,,ou=user,o=sultano?sub?(cn=*)" \
-a defaultSearchBase=ou=iduser,,ou=user,o=sultano 10.10.10.10:389
Again,
Please tell us which LDAP server you are using. Solaris doesn't play well with LDAP. Setting up an LDAP client on a Linux distro is about 100 times easier.
This the ldap client command I used to connect to a OpenLDAP server running on Red Hat.
Here's an example of an ldapclient invocation that works for me:
Code:
ldapclient manual \
-a authenticationMethod="pam_ldap:simple" \
-a credentialLevel="proxy" \
-a defaultSearchBase="dc=example,dc=org" \
-a defaultSearchScope="sub" \
-a defaultServerList="ldap1.example.org,ldap2.example.org" \
-a domainName="example.org" \
-a preferredServerList="ldap1.example.org,ldap2.example.org" \
-a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
-a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
-a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
-a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
-a proxyPassword="foobar"
This will gave me a very basic set up. No auto mount and no TLS security. So this should work on a OpenLDAP server, but if you are connecting to Active directory then you will need to add kerberos.
The ldapclient command is as follows. /usr/sbin/ldapclient [v|g][list|manual|mod|init|uninit|genprofile]
As you can see there are a lot of sub-commands for the ldapclient command. You will want to use the manual sub-command to test the basic profile setup. then you will want to use the mod sub-command to add additional options/features to your profile. The list sub-command will show you what you r setup is currently. You need to take notes of the sub-commands you used up to this point.
After you get the ldap client working. you need to run the genprofile command with all the options you ran to get it working, up to this point. The genprofile subcommand creates a ldif file. the ldif file is used to add items to the LDAP directory. After this is done all the new Solaris 10 clients can use the init sub-command to connect to the LDAP server.
Example:
Code:
ldapclient init <ip of LDAP server>
You also need to add the schema to the LDAP server to get the NIS objects to work. I used solaris.schema and DUAConfigProfile.schema to get my Solaris 10 servers to work with the Solaris Native client. I have attached these files to the post. Before you use them remove the .txt extension.
I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Hi,
I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA.
Is possibile duplicate the... (2 Replies)
I have been able to configure on an AIX 5.2 ldap.cfg so service starts correctly.
but when I try to log on with a windows user after entering the password login hangs and get no response.
I have set it up on Aix 5.3 with no problem but in Aix 5.2 I have not been able to log in.
ldap.cfg... (1 Reply)
Hello,
I have a solaris 10 U 8 and want it to authenticate any user against a remote RADIUS server and return it's appropriate privileges on the system
First is it possible? and if yes, How I can do it?
please a consider I'm a little "newbie" on Solaris world
Thanks in advance! (0 Replies)
I am working on configuring Samba with Remote LDAP for Authentications but facing issue on the same.
I googled for the this but most of the setup is to connect local Samba and LDAP with samba-ldap tools but in my case this is on a separate machines.
Please help me to configure this.
... (0 Replies)
My environmnet : solaris 10 u 7 sparc
To configure DNS bind use Ldap as zone record database, I use bind 9.7.0 and sun directory 5.2
I do follow http://imil.net/docs/Configuring_DNS_zones_with_LDAP.txt
and stuck at make install
Error from bind log "database: error: unsupported database... (0 Replies)
Hi Experts
Though I am aware that I am asking some thing which I should not ask here, however I am sure that there are many who must be have configure netback client in solaris 9 and 10.
Please help /direct me towards some link as how and what all is required to configure Veritas... (4 Replies)
I have an issue here with ldap client. It stoped and won't start.
What I have got:
sadm $ tail /var/adm/messages
Apr 16 09:17:24 hostname inetd: libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' ('').
Apr 16 09:17:24 hostname inetd: libsldap: Status: 2 ... (3 Replies)
Has anyone successfully authenticated unix users via Active Directory using
LDAP client on AIX v5.2 or v5.3?? ldapsearch from our unix box retrieves
info from AD but having trouble authenticating unix id when I logon - get a msg ': 3004-318 Error obtaining the user's password information'. Not... (0 Replies)