Login or Register to Ask a Question and Join Our Community


Solaris

Solaris 10 openldap authentication with md5 passwords

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Solaris 10 openldap authentication with md5 passwords
# 1  
Old 06-09-2010
Power Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)

The error messages when trying to 'su -' to the ldap user are:
Code:
Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4

and for ssh:
Code:
Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2

Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf)
and anything else that I imagine could help (comments of the files have
been removed).

Please feel free to ask for any other configuration file:
/etc/pam.conf
Code:
login   auth requisite        pam_authtok_get.so.1
login   auth required         pam_dhkeys.so.1
login   auth required         pam_unix_cred.so.1
login   auth required         pam_dial_auth.so.1
login   auth sufficient       pam_unix_auth.so.1  server_policy debug
login   auth required           /usr/lib/security/pam_ldap.so.1 debug 
rlogin auth sufficient       pam_rhosts_auth.so.1
rlogin auth requisite        pam_authtok_get.so.1
rlogin auth required         pam_dhkeys.so.1
rlogin auth required         pam_unix_cred.so.1
rlogin  auth required          pam_unix_auth.so.1 use_first_pass
rsh    auth sufficient       pam_rhosts_auth.so.1
rsh    auth required         pam_unix_cred.so.1
rsh    auth required         pam_unix_auth.so.1
ppp     auth requisite        pam_authtok_get.so.1
ppp     auth required         pam_dhkeys.so.1
ppp     auth required         pam_dial_auth.so.1
ppp     auth sufficient       pam_unix_auth.so.1 server_policy
other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
other   auth required           pam_unix_auth.so.1 use_first_pass debug
passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
cron    account required      pam_unix_account.so.1
other   account requisite     pam_roles.so.1
other   account sufficient       pam_unix_account.so.1 server_policy
other   account required        /usr/lib/security/pam_ldap.so.1 debug
other   session required      pam_unix_session.so.1
other   password required     pam_dhkeys.so.1
other   password requisite    pam_authtok_get.so.1
other   password requisite    pam_authtok_check.so.1
other   password required     pam_authtok_store.so.1 server_policy

/etc/ldap.conf
Code:
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn cn=sysadm@example.int,ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5

/etc/nsswitch.conf
Code:
passwd:     files ldap
group:      files ldap
hosts:      files dns
ipnodes:   files dns
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
auth_attr:  files
prof_attr:  files
project:    files
tnrhtp:     files
tnrhdb:     files

/etc/security/policy.conf
Code:
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1

Thanks in advance for any response...!!
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

Solaris 8 MD5 encryption support

Hi, I did some NIS migration tests recently. The target is to migrate the NIS server from Solaris 8 to Redhat Linux 6.5. And, I found there are encryption issues while Linux NIS using MD5 hashing password for authentication whereas Solaris 8 clients using DES encryption. It causes issues... (3 Replies)
Discussion started by: bestard
3 Replies

2. UNIX for Advanced & Expert Users

NTP time issue with md5 authentication.

Hi All Appreciate your help. Here is the scenario: 1. Five months back we configured md5 authentication with network devices and NTP server and it worked fine. 2.Last week all of a sudden the network devices are out of sync. 3.We changed the md5 key and it started working. ... (0 Replies)
Discussion started by: iqtan
0 Replies

3. UNIX and Linux Applications

How to make ldappasswd use {SHA} instead of {SSHA} for users passwords in openldap?

Is it possible to use {SHA} with ldappasswd? I didn't find responsible option in manual page and doc (1 Reply)
Discussion started by: urello
1 Replies

4. Red Hat

prompting for passwords even i configured ssh password less authentication

There are two servers : 1. Site 2. Testing from site server i want to connect testing server with ssh password less authentication. i generated public and private keys with ssh-keygen -t rsa on site server. cat id_rsa >> authorized_keys cat id_rsa.pub >> authorized_keys i... (15 Replies)
Discussion started by: rehantayyab82
15 Replies

5. UNIX for Advanced & Expert Users

When did UNIX start using encrypted passwords, and not displaying passwords when you type them in?

I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the... (5 Replies)
Discussion started by: Anne Neville
5 Replies

6. Shell Programming and Scripting

Create md5 sums and archive the resulting md5 files

Hello everyone, I am looking to basically creating md5sum files for all iso files in a directory and archive the resulting md5 files into a single archive in that very same directory. I worked out a clumsy solution such as: #find files for which md5sum are to be created and store the... (1 Reply)
Discussion started by: SurfTranquille
1 Replies

7. Solaris

md5 encryption on solaris 8

is there patches enable passwords of greater than 8 characters with only md5 encryption (rather than the older crypt) for solaris 8. I am migrating a number of solaris 8 domains to branded zones. (1 Reply)
Discussion started by: frustin
1 Replies

8. Solaris

Verifying Solaris CD Downloads with md5 Checksum on Ubuntu

I didn't know weather to post this in the Solaris or Linux forum so move it if necessary. In the Solaris 10 CD Download Instructions, it says: I open up a Terminal (I'm running Ubuntu Linux) and do a man on md5. It gives me this syntax: SYNOPSIS openssl dgst ... (2 Replies)
Discussion started by: Bradj47
2 Replies

9. Solaris

How do I sync passwords between Samba and Solaris?

Hi, everyone. I have recently installed Samba version 3.0.23d on my Solaris 10 box. I am attempting to sync Samba's passwords with the UNIX passwords on the system. I read about using a pam module that is included with the samba tar called pam_smbpass.so. The instructions say to issue the make... (0 Replies)
Discussion started by: lazytech
0 Replies
Login or Register to Ask a Question