Login or Register to Ask a Question and Join Our Community


Solaris

Help with Solaris 10 and ldapclient authentication

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Help with Solaris 10 and ldapclient authentication
# 1  
Old 08-15-2012
Question Help with Solaris 10 and ldapclient authentication
Hello everyone!

Currently, i have a RHEL6 server, with openLDAP server running. Most of our servers run on Rhel platform, but some of them run in Solaris 10, and I need to make them authenticate with ldap too.

As the ldap server is running without encryption, the command I used for initialize the ldap client in a test zone of a Solaris 10 server is this:

HTML Code:
bash-3.00# ldapclient -v manual -a defaultServerList=ldapserver.com -a defaultSearchBase=dc=example,dc=com
And, if as ROOT i do id $ldap_username, I get the correct uid and gid of that ldap user.
Also as root, i can do su $ldap_username and I login as that user without any problem.
However, if i try to do an ssh $ldap_user@localhost or even, su $ldap_user from a NON root user, I cant login, and I receive the following error in /var/adm/messages:

HTML Code:
Aug 14 17:31:06 test_zone su[19712]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Aug 14 17:38:13 test_zone sshd[19983]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured

I configured /etc/pam.conf like this:
HTML Code:
$service auth binding pam_unix_auth.so.1 server_policy
$service auth required pam_ldap.so.1

$service account binding pam_unix_account.so.1 server_policy
$service account required pam_ldap.so.1

other password required pam_authtok_store.so.1

(where $service is either login, rlogin, other, etc)

Any help will be highly appreciated! Smilie

Ps: sorry for my bad english! im not native speaker.
# 2  
Old 08-16-2012
Your user's directory entries are likely missing the required shadowAccount object class.
This User Gave Thanks to jlliagre For This Post:
Lilbighorn
# 3  
Old 08-16-2012
Hello,
I have done some work in this area. I built 2 test labs one at home and one at work. The example below are form my home test lab. I was able to authenticate a Solaris client without TLS, to a RHEL OpenLDAP server.

Make sure you have this:
Code:
/etc/nsswitch.conf
passwd:     files ldap
group:      files ldap
host:         files ldap

Here is my setup on my test Solaris client server at home.
Code:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=deathnote,dc=net
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 10.0.1.21:389
NS_LDAP_SEARCH_BASEDN= dc=deathnote,dc=net
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=deathnote,dc=net
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple

# cat user00.ldif
dn: uid=user00,ou=People,dc=deathnote,dc=net
uid: user00
cn: user00
objectClass: account
objectClass: posixAccount

objectClass: shadowAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 805
gidNumber: 501
homeDirectory: /home/user00
gecos: ldap user

Your Pam file looks odd. This is my PAM file from my a Solaris client.
Code:
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_dial_auth.so.1
other   auth required           pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#

This User Gave Thanks to bitlord For This Post:
Lilbighorn
# 4  
Old 08-16-2012
@bitlord, beware that NS_LDAP_BINDPASSWD encoding is reversible so posting its value to everyone is usually unwise.
This User Gave Thanks to jlliagre For This Post:
Lilbighorn
# 5  
Old 08-16-2012
jlliage,
I not worried, because it is a test server at my house and it is not even running right now. It is not a production server.
This User Gave Thanks to bitlord For This Post:
Lilbighorn
# 6  
Old 08-16-2012
Indeed, that's why I wrote "usually" unwise. In that specific case, the password is so trivial it would have been guessed anyway Smilie
This User Gave Thanks to jlliagre For This Post:
Lilbighorn
# 7  
Old 08-16-2012
Thanks a lot for the help, bitlord, I highly appreciate it.

I replaced my pam.conf file with the one you provided, and made some modifications to my ldapclient parameters to match yours.
however, I still cant ssh with ldap users, or su to a ldap user with a non root user. id $ldap_user is still working fine.


HTML Code:
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=Manager,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}xxxxxxxxxxx
NS_LDAP_SERVERS= arbue-ldapserver
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=example,dc=com
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_HOST_CERTPATH= /var/ldap


# ldaplist -l passwd test_username
dn: cn=test username,ou=People,dc=example,dc=com
        cn: test username
        givenName: test username
        gidNumber: 1001
        homeDirectory: /home/users/test_username
        loginShell: /bin/bash
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: top
        uid: test_username
        userPassword: {crypt}$1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        uidNumber: 2002
And im receiving this error in the openldap server log:

HTML Code:
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3888 fd=76 ACCEPT from IP=10.10.10.10:54897 (IP=0.0.0.0:389)
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3888 op=0 SRCH base="ou=People,dc=example,dc=com" scope=1 deref=3 filter="(&(objectClass=posixAccount)(uid=test_username))"
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3888 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3888 op=1 UNBIND
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3888 fd=76 closed
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3889 fd=76 ACCEPT from IP=10.10.10.10:54900 (IP=0.0.0.0:636)
Aug 16 14:19:48 ldapserver slapd[24675]: conn=3889 fd=76 closed (TLS negotiation failure)
Any hint? Smilie
Last edited by Lilbighorn; 08-16-2012 at 02:53 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

Solaris FTP authentication

Dears, Is there any way to secure ftp communication using transport layer security authentication /auth tls/? My background is solaris 10, wuftp. Scanned Solaris hosts in our network and found some insecure communications. Read all documents from oracle.com. But cannot find anything about... (1 Reply)
Discussion started by: sembii
1 Replies

2. Shell Programming and Scripting

Send emails on Solaris 10 via relay authentication

Hi, I am looking for a shell/perl script which can used to get authenticate on relay server by a domain user account and password and send emails. Basically in our organisation system level authentication is blocked and we need to get authenticated via user level authentication on smtp... (1 Reply)
Discussion started by: sahil_shine
1 Replies

3. Solaris

ldapclient can not modify attribute

Hello, We have one Solaris 10 machine which has three LDAP servers configured. We want to remove one of them. I tried below ldapclient command however no change is made. ---------------------------------------------------------------------- ldapclient mod -a "defaultServerList=10.149.9.20... (0 Replies)
Discussion started by: alfa_w
0 Replies

4. Emergency UNIX and Linux Support

Solaris LDAPCLIENT accept CA

Hey Guys, How can I make the Solaris native ldapclient trust a CA? I am trying to use a selfsigned cert and it is not working. WHen I use ssltap to monitor the ssl traffic it shows this for the last client communication: 0: 15 03 01 00 02 02 30 | ......0 (7... (1 Reply)
Discussion started by: s ladd
1 Replies

5. Solaris

SSH and PAM authentication issues on Solaris 10

This is a zone running Solaris 10u8 on a 6320 blade. The global zone is also running 10u8. One my users is attempting to change his password and getting a following screen: $ ssh remotesys Password: Warning: Your password has expired, please change it now. New Password: Re-enter new... (1 Reply)
Discussion started by: bluescreen
1 Replies

6. Solaris

Error in LdapClient configuration

Hi all, My code for configuring ldapclient is as follows: ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN=cn=proxyagent,cn=user1,dc=sema,dc=com \ -a proxyPassword=user1 \ -a defaultSearchBase=dc=sema,dc=com \ -a domainName=sema.com \ -a... (10 Replies)
Discussion started by: sathya47
10 Replies

7. Solaris

configure ldapclient on solaris 10

Hi there, I am looking for a detailed step-by-step how to configure ldapclient on solaris 10. I used ldapclient manual, and edited nsswitch.conf and pam.conf, but it is not working. thank you (2 Replies)
Discussion started by: trtcom1
2 Replies

8. UNIX for Dummies Questions & Answers

Solaris 10: Cannot ssh into machine- authentication issues

Greetings! I just managed to install Solaris 10 on a Sparc based machine. However, there might be a problem with the way ssh is configured. I CAN ssh from the machine into another on the network (same subnet, as root), but then the newly installed machine CANNOT seem to accept incoming ssh... (2 Replies)
Discussion started by: agummad
2 Replies

9. Solaris

Authentication of solaris with AAA?

hi i have a lab with routers, switches etc, and i was internet users to authenticate from my solaris server to another AAA server and then they able to access any router or switch. guide me where to start. thanks, Mazhar (2 Replies)
Discussion started by: mazhar99
2 Replies
Login or Register to Ask a Question