Re: [zones-discuss] trying to login with solaris Ldap client
I changed the pam.conf exactly as you said, and now the problem es different. Answering your questions, I have 2 solaris: -SunOS 5.11 NexentaOS_20061012 i86pc i386 i86pc Solaris -SunOS solaris-devx 5.11 snv_55b i86pc i386 i86pc The OpenLdap version is 2.3.34. I got it from www.openldap.org. In Nexenta I use this setup script: ldapclient -v manual -a defaultServerList=192.168.70.133 -a defaultSearchBase=dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=passwd:ou=users,dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=group:ou=groups,dc=tel,dc=uva,dc=es -a serviceSearchDescriptor=shadow:ou=users,dc=tel,dc=uva,dc=es -a authenticationMethod=simple -a proxyDN=cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es -a proxyPassword=password The unique different with your setup is authenticationMethod. I use simple. The pam.conf is the same as you, and the nsswitch.conf is this: passwd: files ldap group: files ldap shadow: files ldap # consult /etc files only if ldap is down. hosts: files dns # Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes:files dns networks: files protocols: files rpc:files ethers: files netmasks: files bootparams: files publickey: files netgroup: ldap automount: files ldap aliases:files ldap # for efficient getservbyname() avoid ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project:files ldap tnrhtp: files ldap tnrhdb: files ldap Id, passwd, finger...run well. [EMAIL PROTECTED]:~# passwd dpercam Enter dpercam's password: New Password: Re-enter new Password: passwd: password successfully changed for dpercam [EMAIL PROTECTED]:~# id caralo uid=2001(caralo) gid=1001(profesores) groups=1001(profesores) But when I try to login, It doesn't run. login incorrect. conn=0 fd=12 ACCEPT from IP=192.168.70.144:34772 (IP=0.0.0.0:389) conn=0 op=0 SRCH base=ou=users,dc=tel,dc=uva,dc=es scope=1 deref=3 filter=((objectClass=shadowAccount)(uid=dpercam)) conn=0 op=0 SRCH attr=uid userpassword shadowflag = bdb_equality_candidates: (uid) index_param failed (18) conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= In Solaris Developer Express I have the same pam.conf and nsswitch.conf. I use this setup script: ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es -a proxyPassword=password -a domainname=tel.uva.es 192.168.70.133 It configures itseft with the default user in my ldap server: dn: cn=default,ou=profile,dc=tel,dc=uva,dc=es ObjectClass: top ObjectClass: DUAConfigProfile defaultServerList: 192.168.70.133 defaultSearchBase: dc=tel,dc=uva,dc=es authenticationMethod: simple followReferrals: TRUE cn:default credentialLevel: proxy serviceSearchDescriptor: passwd: ou=users,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: group: ou=groups,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: shadow: ou=users,dc=tel,dc=uva,dc=es?one With this configuration, when I try to login at the beginning of the reboot, I can login, but without introducing the password. The pc doesn't request me the password. If I login as root, and I try to login in the terminal, I can't. The message is this: # login dpercam No utmpx entry. You must exec login from the lowest level shell. In both cases, I can use su and ssh. Does Anybody know what I have to change? Thank you very much From: jpd [EMAIL PROTECTED] To: Daniel Pérez del Campo [EMAIL PROTECTED] Subject: Re: [zones-discuss] trying to login with solaris Ldap client Date: Sat, 25 Aug 2007 01:32:03 +0100 pam.conf # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 #login auth required pam_unix_auth.so.1 login auth bindingpam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 use_first_pass login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 #rlogin auth required pam_unix_auth.so.1 rlogin auth bindingpam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 use_first_pass # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth bindingpam_krb5.so.1 #krloginauth required pam_unix_auth.so.1 krlogin auth bindingpam_unix_auth.so.1 server_policy krlogin auth required pam_ldap.so.1 use_first_pass # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient
Re: [zones-discuss] trying to login with solaris Ldap client
try: passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth requiredpam_ldap.so.1 I have got several solaris 10 boxes using ldap of openldap, I will have a look at my setup if you still need help. This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] trying to login with solaris Ldap client
From: John-Paul Drawneek [EMAIL PROTECTED] To: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] trying to login with solaris Ldap client Date: Fri, 24 Aug 2007 01:49:54 PDT try: passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth requiredpam_ldap.so.1 I have got several solaris 10 boxes using ldap of openldap, I will have a look at my setup if you still need help. I have tried your suggestion but the result is the same. I always have to change the password, and I can't login. Could you have a look at my setup and compare with the yours?? Thank you very much for your help. This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] trying to login with solaris Ldap client
From: Enda O'Connor ( Sun Micro Systems Ireland) [EMAIL PROTECTED] To: Daniel Pérez del Campo [EMAIL PROTECTED] CC: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] trying to login with solaris Ldap client Date: Tue, 21 Aug 2007 13:43:21 +0100 = bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=98 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=76 op=99 SRCH base=ou=users,dc=tel,dc=uva,dc=es scope=1 deref=3 filter=((objectClass=posixAccount)(uid=dpercam)) conn=76 op=99 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell = bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=99 SEARCH RESULT tag=101 err=0 nentries=1 text= Does anybody know what could be the problem??? I'm desesperate! Thank you very much. Daniel Pérez ___ zones-discuss mailing list zones-discuss@opensolaris.org Looks like a pam issue? the server is finding the entry (nentries=1) What have you configured in /etc/pam.conf read man -s5 pam_ldap to get an idea so at a guess from your env above change service name auth required pam_unix_auth.so.1 to service name auth binding pam_unix_auth.so.1 server_policy for all lines that match and add service name auth required pam_ldap.so.1 once for each srvice name that you changed. Also add the line other password required pam_authtok_store.so.1 server_policy other than that not too clear what is wrong. Enda I have changed the pam.conf as you said, but the problem is the same. It forces me to change the password again and again. The pam.conf is this: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth bindingpam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 login auth required pam_dial_auth.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth bindingpam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth bindingpam_krb5.so.1 krlogin auth bindingpam_unix_auth.so.1 server_policy krlogin auth required pam_ldap.so.1 rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 krshauth required pam_unix_cred.so.1 krshauth bindingpam_krb5.so.1 krshauth bindingpam_unix_auth.so.1 server_policy krshauth required pam_ldap.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth bindingpam_krb5.so.1 ktelnet auth bindingpam_unix_auth.so.1 server_policy ktelnet auth required pam_ldap.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth bindingpam_unix_auth.so.1 server_policy ppp auth required pam_ldap.so.1 ppp auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth bindingpam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 passwd auth required pam_passwd_auth.so.1 cronaccount requiredpam_unix_account.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 #other password required pam_authtok_store.so.1 other password required pam_authtok_store.so.1 server_policy I don't know what to do. Does anybody know what is the problem?? Thank you very much. Daniel Perez _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] trying to login with solaris Ldap client
From: Enda O'Connor [EMAIL PROTECTED] To: Daniel Pérez del Campo [EMAIL PROTECTED] CC: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] trying to login with solaris Ldap client Date: Wed, 22 Aug 2007 13:12:22 +0100 Daniel Pérez del Campo wrote: From: Enda O'Connor ( Sun Micro Systems Ireland) [EMAIL PROTECTED] To: Daniel Pérez del Campo [EMAIL PROTECTED] CC: zones-discuss@opensolaris.org Subject: Re: [zones-discuss] trying to login with solaris Ldap client Date: Tue, 21 Aug 2007 13:43:21 +0100 = bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=98 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=76 op=99 SRCH base=ou=users,dc=tel,dc=uva,dc=es scope=1 deref=3 filter=((objectClass=posixAccount)(uid=dpercam)) conn=76 op=99 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell = bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=99 SEARCH RESULT tag=101 err=0 nentries=1 text= Does anybody know what could be the problem??? I'm desesperate! Thank you very much. Daniel Pérez ___ zones-discuss mailing list zones-discuss@opensolaris.org Looks like a pam issue? the server is finding the entry (nentries=1) What have you configured in /etc/pam.conf read man -s5 pam_ldap to get an idea so at a guess from your env above change service name auth required pam_unix_auth.so.1 to service name auth binding pam_unix_auth.so.1 server_policy for all lines that match and add service name auth required pam_ldap.so.1 once for each srvice name that you changed. Also add the line other password required pam_authtok_store.so.1 server_policy other than that not too clear what is wrong. Enda I have changed the pam.conf as you said, but the problem is the same. It forces me to change the password again and again. The pam.conf is this: loginauth requisitepam_authtok_get.so.1 loginauth requiredpam_dhkeys.so.1 loginauth requiredpam_unix_cred.so.1 loginauth bindingpam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 loginauth requiredpam_dial_auth.so.1 rloginauth sufficientpam_rhosts_auth.so.1 rloginauth requisitepam_authtok_get.so.1 rloginauth requiredpam_dhkeys.so.1 rloginauth requiredpam_unix_cred.so.1 rloginauth bindingpam_unix_auth.so.1 server_policy rlogin auth required pam_ldap.so.1 krloginauth requiredpam_unix_cred.so.1 krloginauth bindingpam_krb5.so.1 krloginauth bindingpam_unix_auth.so.1 server_policy krlogin auth required pam_ldap.so.1 rshauth sufficientpam_rhosts_auth.so.1 rshauth requiredpam_unix_cred.so.1 krshauth requiredpam_unix_cred.so.1 krshauth bindingpam_krb5.so.1 krshauth bindingpam_unix_auth.so.1 server_policy krshauth required pam_ldap.so.1 ktelnetauth requiredpam_unix_cred.so.1 ktelnetauth bindingpam_krb5.so.1 ktelnetauth bindingpam_unix_auth.so.1 server_policy ktelnet auth required pam_ldap.so.1 pppauth requisitepam_authtok_get.so.1 pppauth requiredpam_dhkeys.so.1 pppauth requiredpam_unix_cred.so.1 pppauth bindingpam_unix_auth.so.1 server_policy ppp auth required pam_ldap.so.1 pppauth requiredpam_dial_auth.so.1 otherauth requisitepam_authtok_get.so.1 otherauth requiredpam_dhkeys.so.1 otherauth requiredpam_unix_cred.so.1 otherauth bindingpam_unix_auth.so.1 server_policy other auth required pam_ldap.so.1 passwdauth requiredpam_passwd_auth.so.1 cronaccount requiredpam_unix_account.so.1 otheraccount requisitepam_roles.so.1 otheraccount requiredpam_unix_account.so.1 othersession requiredpam_unix_session.so.1 otherpassword requiredpam_dhkeys.so.1 otherpassword requisitepam_authtok_get.so.1 otherpassword requisitepam_authtok_check.so.1 #otherpassword requiredpam_authtok_store.so.1 other password required pam_authtok_store.so.1 server_policy I don't know what to do. Does anybody know what is the problem?? Thank you very much. Daniel Perez I'm not familiar with openldap config as such but I did find the following link which might help you out http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server have a read through it, seems you might have some work to do on the ldap server side regards Enda I had read it before. There are 3 points to prepare the ldap server. As I show in my first message, I have solaris.schema and DUAConfigProfile.schema in my slapd.conf. Initializing the directory structure, I have done it,you can see in the first message too. the unique different
[zones-discuss] trying to login with solaris Ldap client
Hi, First of all, sorry for my english. I'll try to be clear. I have an OpenLdap server running in a Linux debian 2.6.18-3-k7 with this slapd.conf: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/solaris.schema include /usr/local/etc/openldap/schema/DUAConfigProfile.schema include /usr/local/etc/openldap/schema/nisdomainobject.schema #include /usr/local/etc/openldap/schema/solaris-nis.schema pidfile /usr/local/var/run/slapd.pid argsfile/usr/local/var/run/slapd.args access to attrs=userPassword by self write by anonymous auth by * none access to * by * read allow bind_v2 databasebdb suffix dc=tel,dc=uva,dc=es rootdn cn=root,dc=tel,dc=uva,dc=es rootpw secret directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq The OpenLdap version is 2.3.34. I want to have 3 clients to authenticate in the ldap server, one Linux, one Windows and one Solaris. With linux and windows there are no problems. With solaris client I have a problem. To configurate solaris client I did these steps: First, I added the solaris.schema and DUAConfigProfile.schema. After, I populated my directory. My tree is this: dn:dc=tel,dc=uva,dc=es objectClass: dcObject objectClass: organization objectClass: nisDomainObject nisDomain: tel.uva.es o: tel dc: tel dn:cn=root,dc=tel,dc=uva,dc=es objectClass: organizationalRole objectClass: bootableDevice cn: root dn:ou=users,dc=tel,dc=uva,dc=es ou: users objectClass: top objectClass: organizationalUnit dn:ou=groups,dc=tel,dc=uva,dc=es ou: groups objectClass: top objectClass: organizationalUnit dn:cn=profesores,ou=groups,dc=tel,dc=uva,dc=es cn: profesores gidNumber: 1001 objectClass: top objectClass: posixGroup dn:cn=alumnos,ou=groups,dc=tel,dc=uva,dc=es cn: alumnos gidNumber: 1002 objectClass: top objectClass: posixGroup dn:uid=dpercam,ou=users,dc=tel,dc=uva,dc=es uid: dpercam givenName: Daniel sn: Perez cn: Daniel Perez uidNumber: 2002 gidNumber: 1002 homeDirectory: /home/dpercam objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson mail: [EMAIL PROTECTED] loginShell: /bin/bash userPassword: dpercam dn:uid=edugom,ou=users,dc=tel,dc=uva,dc=es uid: edugom givenName: Eduardo sn: Gomez cn: Eduardo Gomez loginShell: /bin/bash uidNumber: 2005 gidNumber: 1001 homeDirectory: /home/edugom objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson userPassword: edugom dn:ou=profile,dc=tel,dc=uva,dc=es ou: profile objectClass: top objectClass: organizationalUnit dn:cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es cn: proxyagent sn: proxyagent objectClass: top objectClass: person userPassword: password dn:cn=default,ou=profile,dc=tel,dc=uva,dc=es objectClass: top objectClass: DUAConfigProfile defaultServerList: 192.168.70.133 defaultSearchBase: dc=tel,dc=uva,dc=es authenticationMethod: simple followReferrals: TRUE defaultSearchScope: one searchTimeLimit: 30 profileTTL: 43200 bindTimeLimit: 2 cn: default credentialLevel: proxy serviceSearchDescriptor: passwd: ou=users,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: group: ou=groups,dc=tel,dc=uva,dc=es?one serviceSearchDescriptor: shadow: ou=users,dc=tel,dc=uva,dc=es?one Then, I run the ldapclient: ldapclient -v init -a proxyDN=cn=proxyagent,ou=profile,dc=tel,dc=uva,dc=es -a proxyPassword=password -a domainname=tel.uva.es ip.adress The file nsswitch.conf is now: passwd: files ldap group: files ldap shadow files ldap hosts: files dns ipnodes:files dns networks: files protocols: files rpc:files ethers: files netmasks: files bootparams: files publickey: files netgroup: ldap automount: files ldap aliases:files ldap services: files ldap printers: user files ldap auth_attr: files ldap prof_attr: files ldap project:files ldap tnrhtp: files ldap tnrhdb: files ldapHi, First of all, sorry for my english. I'll try to be clear. I have an OpenLdap server running in a Linux debian 2.6.18-3-k7 with this slapd.conf: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/solaris.schema include /usr/local/etc/openldap/schema/DUAConfigProfile.schema include /usr/local/etc/openldap/schema/nisdomainobject.schema #include /usr/local/etc/openldap/schema/solaris-nis.schema pidfile /usr/local/var/run/slapd.pid argsfile
Re: [zones-discuss] trying to login with solaris Ldap client
= bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=98 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=76 op=99 SRCH base=ou=users,dc=tel,dc=uva,dc=es scope=1 deref=3 filter=((objectClass=posixAccount)(uid=dpercam)) conn=76 op=99 SRCH attr=cn uid uidnumber gidnumber gecos description homedirectory loginshell = bdb_equality_candidates: (uid) index_param failed (18) conn=76 op=99 SEARCH RESULT tag=101 err=0 nentries=1 text= Does anybody know what could be the problem??? I'm desesperate! Thank you very much. Daniel Pérez _ MSN Amor: busca tu ½ naranja http://latam.msn.com/amor/ ___ zones-discuss mailing list zones-discuss@opensolaris.org Looks like a pam issue? the server is finding the entry (nentries=1) What have you configured in /etc/pam.conf read man -s5 pam_ldap to get an idea so at a guess from your env above change service name auth required pam_unix_auth.so.1 to service name auth binding pam_unix_auth.so.1 server_policy for all lines that match and add service name auth required pam_ldap.so.1 once for each srvice name that you changed. Also add the line other password required pam_authtok_store.so.1 server_policy other than that not too clear what is wrong. Enda ___ zones-discuss mailing list zones-discuss@opensolaris.org