Hi,
I have been trying to get working of opensolaris ldap client with
Sun DS 5.1, but fails. I have initialized the opensolaris ldap client
using "manual" method- it was fine without any errors.
The issue is :-
1. I'm not able to log onto opensolaris system with ldap user ID, even
though super user from the same system can do su to ldap user id.
2. Whilst doing ssh to the system, if I supply correct ldap user
password reports no error in /var/adm/messages file but login is NOT
sucessful. Second if I supply wrong password for the ldap user I have
been trying to login, the following error message reported in
/var/adm/message file.
May 27 19:06:31 opensolaris sshd[1762]: [ID 293258 auth.error] libsldap:
Status: 49
Mesg: openConnection: simple bind failed - Invalid credentials
May 27 19:07:23 opensolaris sshd[1771]: [ID 293258 auth.error] libsldap:
Status: 49
Mesg: openConnection: simple bind failed - Invalid credentials
I have the following information that might help pointing to correct the
issue which I'm experiencing.
1. getent passwd | grep <LDAP USERID>
- done not report anything.
2. From opensolaris ldapclient system as a root user
su - <LDAP USERID> : works pretty well and home directory gets
mounted.
3. /etc/pam.conf file
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1 try_first_pass
login auth required pam_dial_auth.so.1
#
# FOR SSHD
#
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_unix_cred.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1 try_first_pass
sshd auth required pam_dial_auth.so.1
#
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
#
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
gdm-autologin auth required pam_unix_cred.so.1
gdm-autologin auth sufficient pam_allow.so.1
gdm-autologin account sufficient pam_allow.so.1
gdm-autologin session sufficient pam_allow.so.1
gdm-autologin password sufficient pam_allow.so.1
4. /etc/nsswitch.conf
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: files dns
networks: files ldap [NOTFOUND=return]
protocols: files ldap [NOTFOUND=return]
rpc: files ldap [NOTFOUND=return]
ethers: files ldap [NOTFOUND=return]
netmasks: files ldap [NOTFOUND=return]
bootparams: files ldap [NOTFOUND=return]
publickey: files ldap [NOTFOUND=return]
netgroup: files ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
5. /var/ldap/ldap_client_file entries
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 10.145.83.101
NS_LDAP_SEARCH_BASEDN= dc=chn99,dc=sun,dc=com
NS_LDAP_CACHETTL= 0
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=chn99,dc=sun,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=chn99,dc=sun,dc=com?one
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
6. /var/ldap/ldap_client_cred
#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
Any help to resolve this issue, would greatly appreciated.
Thanks,
Saravanan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20090528/d04c4c18/attachment.html>
