Hi, > I have been trying to get working of opensolaris ldap client with > Sun DS 5.1, but fails. I have initialized the opensolaris ldap client > using "manual" method- it was fine without any errors. > > The issue is :- > 1. I'm not able to log onto opensolaris system with ldap user ID, even > though super user from the same system can do su to ldap user id. > 2. Whilst doing ssh to the system, if I supply correct ldap user > password reports no error in /var/adm/messages file but login is NOT > sucessful. Second if I supply wrong password for the ldap user I have > been trying to login, the following error message reported in > /var/adm/message file. > May 27 19:06:31 opensolaris sshd[1762]: [ID 293258 auth.error] > libsldap: Status: 49 > Mesg: openConnection: simple bind failed - Invalid credentials > May 27 19:07:23 opensolaris sshd[1771]: [ID 293258 auth.error] > libsldap: Status: 49 > Mesg: openConnection: simple bind failed - Invalid credentials > > > I have the following information that might help pointing to correct > the issue which I'm experiencing. > > 1. getent passwd | grep <LDAP USERID> > - done not report anything. > 2. From opensolaris ldapclient system as a root user > su - <LDAP USERID> : works pretty well and home directory gets > mounted. > 3. /etc/pam.conf file > > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth binding pam_unix_auth.so.1 server_policy > login auth required pam_ldap.so.1 try_first_pass > login auth required pam_dial_auth.so.1 > # > # FOR SSHD > # > sshd auth requisite pam_authtok_get.so.1 > sshd auth required pam_dhkeys.so.1 > sshd auth required pam_unix_cred.so.1 > sshd auth binding pam_unix_auth.so.1 server_policy > sshd auth required pam_ldap.so.1 try_first_pass > sshd auth required pam_dial_auth.so.1 > > # > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth binding pam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 try_first_pass > # > # passwd command (explicit because of a different authentication module) > # > passwd auth binding pam_passwd_auth.so.1 server_policy > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account > management > # > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session > management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password > management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password sufficient pam_authtok_store.so.1 > # > # > # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # > gdm-autologin auth required pam_unix_cred.so.1 > gdm-autologin auth sufficient pam_allow.so.1 > gdm-autologin account sufficient pam_allow.so.1 > gdm-autologin session sufficient pam_allow.so.1 > gdm-autologin password sufficient pam_allow.so.1 > > 4. /etc/nsswitch.conf > > passwd: files ldap > group: files ldap > > # consult /etc "files" only if ldap is down. > hosts: files dns > > # Note that IPv4 addresses are searched for in all of the ipnodes > databases > # before searching the hosts databases. > ipnodes: files dns > > networks: files ldap [NOTFOUND=return] > protocols: files ldap [NOTFOUND=return] > rpc: files ldap [NOTFOUND=return] > ethers: files ldap [NOTFOUND=return] > netmasks: files ldap [NOTFOUND=return] > bootparams: files ldap [NOTFOUND=return] > publickey: files ldap [NOTFOUND=return] > > netgroup: files ldap > > automount: files ldap > aliases: files ldap > > # for efficient getservbyname() avoid ldap > services: files ldap > > printers: user files ldap > > auth_attr: files ldap > prof_attr: files ldap > > project: files ldap > > tnrhtp: files ldap > tnrhdb: files ldap > > 5. /var/ldap/ldap_client_file entries > # Do not edit this file manually; your changes will be lost.Please use > ldapclient (1M) instead. > # > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= 10.145.83.101 > NS_LDAP_SEARCH_BASEDN= dc=chn99,dc=sun,dc=com > NS_LDAP_CACHETTL= 0 > NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=chn99,dc=sun,dc=com?one > NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=chn99,dc=sun,dc=com?one > NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple > > 6. /var/ldap/ldap_client_cred > # > # Do not edit this file manually; your changes will be lost.Please use > ldapclient (1M) instead. > # > > Any help to resolve this issue, would greatly appreciated. > > Thanks, > Saravanan
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20090528/8591bdac/attachment.html>
