Howdy, I am actually running GA Solaris U7 but I think the problem is very
similar in OpenSolaris.
We have an OpenLDAP database with usernames and passwords but it is not in
Posix style, i.e there are no uids, gids, etc. It uses whatever schema is the
default in OpenLDAP 2.3, the one that came with the distro, SLES 10. It is very
easy to get SSHD to use LDAP for password authentication in this distro, and
get the rest of the user info from the /etc/passwd file (the account is locked
in /etc/shadow). All you have to do is replace the "auth include commom-auth"
line in the /etc/pam.d/sshd file with "auth required pam_ldap.so" on the second
line, set "UsePAM yes" in the sshd config file, and point /etc/ldap.conf to
your LDAP server. (Nsswitch.conf remains "files" only.) You will then get
anonymous-type binding to check the LDAP password, and the rest of the Posix
attributes will be set from /etc/passwd.
My root question: Is there a simple way to do with with the Solaris 10 LDAP
client and the Solaris 10 sshd?
I think I have LDAP set up correctly, and PAM is doing *something*: I added
this line to pam.conf: "other auth sufficient pam_ldap.so.1'. And when I snoop
the connection to the LDAP server I am see something:
backup2 -> services1 LDAP C port=33193 Search Request derefAlways
services1 -> backup2 LDAP R port=33193
services1 -> backup2 LDAP R port=33193 Search ResDone Success
But logins fail. (Maybe anonymous binding doesn't work?)
Has anyone succeeded in getting LDAP authentication to work without Posix
format LDAP entries? Thanks
-W Sanders
St Marys College of CA
--
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
