Login or Register to Ask a Question and Join Our Community


Solaris

OpenLdap and Solaris10 problems

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris OpenLdap and Solaris10 problems
# 1  
Old 07-12-2011
OpenLdap and Solaris10 problems
Hi All,
I have configured OpenLDAP sucessfully and set following results indicating that the user is loaded on the LDAP database
Code:
test5:/ $ cat /etc/passwd | grep admin777
test5:/ $ getent passwd admin777
admin777:x:5011:1000::/:/bin/bash
test5:/ $ id admin777
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ ldaplist -l passwd admin777
dn: uid=admin777,ou=People,dc=example,dc=com
        shadowMin: 10
        sn: sn
        userPassword: {SSHA}Uy4yMkk71zNJ6XoAAhoKgjYPzXNnU4r5
        loginShell: /bin/bash
        uidNumber: 5011
        gidNumber: 1000
        shadowMax: 30
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: shadowAccount
        uid: admin777
        shadowLastChange: 15166
        cn: cn
        homeDirectory: /
        shadowWarning: 7
test5:/ $

I've also added an overall security policy in the LDAP database
Code:
# Policies, example.com
dn: ou=Policies,dc=example,dc=com
pwdFailureCountInterval: 0
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 3
ou: Policies
pwdSafeModify: FALSE
pwdInHistory: 6
pwdGraceAuthNLimit: 0
pwdCheckQuality: 1
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdLockoutDuration: 1920
cn: default
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdLockout: TRUE
pwdMaxAge: 7516800

But it seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file
Code:
test5:/ $ ssh admin777@10.1.1.5
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
  ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
  PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER 
   APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
 DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
   AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
   NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT 
                 TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password: 
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password: 
New Password: 
passwd: Password too short - must be at least 8 characters.

Please try again
New Password: 

test5:/ $ cat /etc/default/passwd

#ident  @(#)passwd.dfl 1.7     04/04/22 SMI
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8

# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of NO will disable login name checking.
#
NAMECHECK=YES

It seems that the Solaris password policy forces the user to use the Solaris policy and ignore the LDAP ppolicy, below is my slapd.conf file
Code:
test5:/ $ cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/DUAConfigProfile.schema
include         /usr/local/etc/openldap/schema/solaris.schema
include         /usr/local/etc/openldap/schema/java.schema
 # Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

loglevel        256
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload      ppolicy.la
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"

checkpoint      32      30
cachesize       10000
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          "{SSHA}6FWujVb4YNHJDyniwoWaHTMfXBJBM8u7"

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq
index uid,uidNumber,gidNumber,shadowExpire,shadowLastChange eq

overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout

Any ideas would be highly appriciated!!Smilie
Last edited by Scott; 07-12-2011 at 07:12 AM.. Reason: Please use code tags
# 2  
Old 07-12-2011
Hi,
I currently working on the same thing as you. Are you using the Solaris native client or anther LDAP client? I understand that there is a few extra steps involved if you use the native client. I see you have the extra schemas you need for Solaris. I would look at your PAM

Im still learning myself so I hope you find your answer
# 3  
Old 07-12-2011
Hi,
I'm using the native Solaris 10 client and I'm initilizing it with the following
Code:
ldapclient manual -v -a authenticationMethod=none -a defaultSearchBase=dc=example,dc=com -a defaultServerList=127.0.0.1

Yea, I think that my proplem lies with the pam.conf file, but I've tried so many combinations.... at the moment for ssh I have
Code:
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other    auth sufficient      pam_ldap.so.1
other    auth requisite       pam_authtok_get.so.1
other    auth required        pam_dhkeys.so.1
other    auth required        pam_unix_cred.so.1
other    auth sufficient      pam_unix_auth.so.1
#other    auth required        pam_ldap.so.1
#

Last edited by esawyja; 07-13-2011 at 09:59 AM..
# 4  
Old 07-12-2011
I was never able to get the openldap server to run right on Solaris 10, I did get it running on Solaris 11 though. I opted to install the openldap server on CentOS because openldap just runs/configures easier on Linux. I'm in the process of configureing the Solaris clients to authenticate off of the openldap server. I'm experimenting on different ldap clients.

Which installer did you use to install the openldap on Solaris? Did you compile the source from openldap or use sunfreeware, blastware and opencw packages?
# 5  
Old 07-13-2011
Hi,
I downloaded the software from SunFreeWare, openldap-2.4.24,tar.gz and installed it with pkgadd, keep in mind that you might find some dependancies, below is and extract from my scripts that highlights what will be installed, I just uninstalled the packages and reinstalled these below
Code:
clear
    echo "******************** OpenLDAP setup ********************"
    echo "This script will install OpenLdap 2.4.23, libtool 2.4, BerkeleyDB.4.7, openssl 1.0 and openssh 5.8p1"
    echo "It will also setup a basic OpenLdap structure"
    echo "logfile = /opt/temp/OpenLDAP/install.log"
    echo "The following files need to be in directory /opt/temp/OpenLDAP"
    echo "openldap-2.4.23-sol10-sparc-local.gz, libtool-2.4-sol10-sparc-local.gz, db-4.7.25.NC-sol10-sparc-local.gz"
    echo "openssl-1.0.0d-sol10-sparc-local.gz, openssh-5.8p1-sol10-sparc-local.gz"
    echo "openLDAP.gz"

---------- Post updated at 01:56 AM ---------- Previous update was at 12:43 AM ----------

mmmh getting closer, when I start slapd in debug mode, it starts up but in the debug log
Code:
line 22 (pidfile         /usr/local/var/run/slapd.pid)
line 23 (argsfile        /usr/local/var/run/slapd.args)
line 26 (modulepath /usr/local/libexec/openldap)
line 27 (moduleload      ppolicy.la)
loaded module ppolicy.la
module ppolicy.la: null module registered
line 64 (access to dn.base=""        by * read)
>>> dnNormalize: <>
<<< dnNormalize: <>
Backend ACL: access to dn.base=""
        by * read

The line "module ppolicy.la: null module registered" bothers me, as this is exactly my problem, the ppolicy overlay does not work, any suggestions?
Last edited by esawyja; 07-13-2011 at 09:56 AM..
# 6  
Old 07-13-2011
Hey whats up.
I have not been able to work on the LDAP stuff latly.

I used this guide as well as others to install openldap on Solaris.
http://uminac.com/wp-content/uploads...65774196-1.pdf
Now he uses blastware to install openldap on Solaris. This guide has sample files at the end that you can use or review. What I don't like is he sets up TLS/SSL right away during the initial setup and uses a role to run openldap. I wanted is simpler setup for testing. I can always lock it down after I have a better understanding of LDAP.

This is what he has for the module stuff.
Code:
# Load dynamic backend modules :
modulepath / opt /csw/ l i b e x e c / openldap
moduleload back_bdb . l a
# moduleload back_ldap . l a
# moduleload back_ldbm. l a
# moduleload back_passwd . l a
# moduleload back_shel l . l a

My slapd.conf looks almost exacty like the one on this site, because I used this guide and the "RedHat Deployment Guide" to install openldap on Centos.
Centralize user accounts with OpenLDAP
There is no module stuff in this file. This guide is missing stuff put I have yet to find a complete one.

I hope this helps.
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Red Hat

Openldap 2.4.31 replication

Hi, I have done setup for openldap master and slave. Its working fine and replicating also. But it is working only with plane text password in syncrepl . How we can use encrypted password here also like we are using in rootpw ? Below portion is working. syncrepl rid=101 ... (3 Replies)
Discussion started by: Priy
3 Replies

2. Red Hat

problems compiling openldap

I hope this is the right place to post this and that I can get some help. I pretty much suck at troubleshooting build issues. we are running oracle red-hat linux 2.6.32-200.20.1.el5uek #1 SMP Fri Oct 7 02:29:42 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux trying to build the latest stable version of... (3 Replies)
Discussion started by: fwellers
3 Replies

3. UNIX for Advanced & Expert Users

OpenLDAP and Solaris10 problems

Hi All, I have configured OpenLDAP sucessfully and set following results indicating that the user is loaded on the LDAP database test5:/ $ cat /etc/passwd | grep admin777 test5:/ $ getent passwd admin777 admin777:x:5011:1000::/:/bin/bash test5:/ $ id admin777 uid=5011(admin777)... (0 Replies)
Discussion started by: esawyja
0 Replies

4. Solaris

Openldap configuration

I m using Intel solaris 10 version . I m trying to install openldap and used several documents and package versions . But every time I got CC PATH error and while I solved the CC issue , I got Barkley DB error . :wall: Is there any perticular site from where I can install and configure... (1 Reply)
Discussion started by: sanjee
1 Replies

5. Solaris

OpenLDAP setup

At work I'm been givin the task to move are backend servers from NIS to LDAP. We have mostly Solaris 10 servers, as well as a few Redhat servers. I am going to use openLDAP as the LDAP server. I'm looking for a good how to guide on setting up the openLDAP server. Most of the docs I have found seem... (0 Replies)
Discussion started by: bitlord
0 Replies

6. Red Hat

Need OpenLDAP Help

Hi, all: I'm studying for the RHCE and have hit the section on configuring an OpenLDAP client. I'd like to practice this, but I can't get an OpenLDAP server set up. I followed the directions in RedHat's Deployment Guide, and it looks like the server is up and running, but I can't get the... (0 Replies)
Discussion started by: rjlohman
0 Replies

7. AIX

openLDAP with Aix

hello I have a P570 with 3 partitions. These partitions are available, since 1 year. So there are a lot of users, files, etc, on these partition I must now install an openldap with Debian to manage all these users. But several pb: on LDAP, we are 1 iud for user and one home directory, 1 gid... (0 Replies)
Discussion started by: pascalbout
0 Replies

8. UNIX for Advanced & Expert Users

OpenLDAP and Apache

Hello! I'm starting to panic here! I'm trying to authorize Subversion (via apache) users at my company here via LDAP. Sure everything works when just authorizing users with require valid-user But! That is not what I'm looking for, I wish to Authorize by membership in specifik groups... This... (0 Replies)
Discussion started by: Esaia
0 Replies
Login or Register to Ask a Question