On Tue, Mar 2, 2010 at 12:05 AM, Moritz Willers <mo at wit.ch> wrote: > How do you bind your Linux systems to the directory? Do you use sasl/gssapi > binding, a proxy account or do they bind anonymously? ?What's the ldap.conf? ldap_version 3 base dc=my-domain
nss_base_passwd cn=users,cn=accounts,dc=my-domain?sub nss_base_group cn=groups,cn=accounts,dc=my-domain?sub nss_schema rfc2307bis nss_map_attribute uniqueMember member nss_initgroups_ignoreusers root,dirsrv nss_reconnect_maxsleeptime 8 nss_reconnect_sleeptime 1 bind_timelimit 5 timelimit 15 uri ldap://my-ldap-server > > I'm not sure if you are aware that 'authenticationMethod=sasl/GSSAPI' means > that the OS (nscd) must use Kerberos/GSSAPI to bind to the directory to do > lookups? ?Do you have all the GSSAPI identity mapping set up on the directory > server? ?Can you perform a gssapi authenticated ldapsearch against the > directory server? > > Or do you just want Solaris integrated to LDAP (with simple binding or > anonymously) but care about the users being authenticated iva Kerberos when > they log in? That's the idea. I would like to use kerberos ticket to authenticate. However OS client is still trying to get userPassword from the LDAP server instead of using kerberos ticket with these settings: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= my-ldap-server NS_LDAP_SEARCH_BASEDN= dc=my-domain NS_LDAP_AUTH= none NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= anonymous NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=my-domain NS_LDAP_SERVICE_SEARCH_DESC= groups:cn=groups,cn=accounts,dc=my-domain NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount > > - mo > > On 1 Mar 2010, at 11:22am, Piotr Jasiukajtis wrote: > >> Forwarding that to the sparks-discuss >> >> >> ---------- Forwarded message ---------- >> From: Piotr Jasiukajtis <estseg at gmail.com> >> Date: Mon, Mar 1, 2010 at 12:20 PM >> Subject: Re: [kerberos-discuss] ldapclient mod -a >> authenticationMethod=sasl/GSSAPI >> To: Doug Leavitt <Doug.Leavitt at sun.com> >> Cc: kerberos-discuss at opensolaris.org >> >> >> Hi Doug, >> >> The main reason I use nss-ldap from 3rd party is because with native >> one I can't log in using kerberos/ldap account. >> >> At this moment I upgraded system to b133. I can log into the system's >> console using 3rd party nss-ldap. >> With the same configuration (just cp nss-ldap...) ?I'm not able to do >> so with native nss-ldap: >> login[918]: [ID 468494 daemon.crit] login account failure: No account >> present for user >> >> I have ldapclient running with the following setting: >> NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_AUTH= sasl/GSSAPI >> NS_LDAP_SEARCH_SCOPE= sub >> NS_LDAP_CACHETTL= 0 >> NS_LDAP_CREDENTIAL_LEVEL= self >> NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount >> >> As a 'root' user I have already host/ principal ticket. Also I am able >> to obtain TGT with 'kinit'. >> >> In logs I get: >> login[499]: [ID 738555 daemon.warning] libsldap: Metaslot disabled for >> self credential mode >> >> and >> getent[543]: [ID 293258 daemon.warning] libsldap: Status: 7 ?Mesg: >> Session error no available conn. >> pfexec[546]: [ID 293258 daemon.warning] libsldap: Status: 7 ?Mesg: >> openConnection: GSSAPI bind failed - 82 Local error >> >> Any idea how to solve that? >> >> On Fri, Feb 26, 2010 at 8:56 PM, Doug Leavitt <Doug.Leavitt at sun.com> >> wrote: >>> Hi Piotr, >>> >>>> I'm not sure it's a right alias, however it's related to the GSSAPI. >>>> >>>> I have a snv_129 kerberos+ldap client machine. Kerberos is already >>>> configured. KDC is running on Linux. >>>> >>>> Original nss_ldap library is replaced with nss-ldap from >>>> >>>> http://freeipa.org/downloads/solaris/nss_ldap/10/RHATnss-ldap-253-12.i386.pkg >>> >>> >>> This is the root of your problem. ?The nss-ldap that you replaced >>> the OpenSolaris nss-ldap with is not compatible with OpenSolaris >>> components. ?Linux nss-ldap is a different source base with different >>> characteristics and behaviors and is not compatible with OpenSolaris's >>> current naming system. >>> >>> If you choose to install Linux nss-ldap you need to understand that >>> none of the advanced facilities like nscd caching, per-user >>> LDAP/Kerberos support or using any of the Solaris nss_ldap tools >>> including ldapclient, ldap_cachemgr or ldaplist will function when >>> you do this. >>> >>> All of these components including Solaris pam_ldap require the use >>> of Solaris nss_ldap and other internal interfaces associated with each >>> of these pieces. >>> >>> By replacing Solaris nss_ldap with Linux nss_ldap you have broken >>> the LDAP naming services stack which is why you are getting all >>> those error messages. >>> >>> The correct solution is to not replace nss_ldap with the incompatible >>> components. >>> >>> Linux nss_ldap is not a substitute library for the current OpenSolaris >>> nss_ldap naming libraries. >>> >>> I hope that answers your question. >>> >>> Doug. >>> >> >> >> >> -- >> Piotr Jasiukajtis | estibi | SCA OS0072 >> http://estseg.blogspot.com >> >> >> >> -- >> Piotr Jasiukajtis | estibi | SCA OS0072 >> http://estseg.blogspot.com >> _______________________________________________ >> sparks-discuss mailing list >> sparks-discuss at opensolaris.org >> http://mail.opensolaris.org/mailman/listinfo/sparks-discuss > > -- Piotr Jasiukajtis | estibi | SCA OS0072 http://estseg.blogspot.com
