Thanks for the info. Great info on pam_ldap. I was not aware of that man page.
No luck after inserting the pam_ldap module "after dtlogin-sunray password" or "dtsession-sunray" section. The Sun Ray Server never looks for objectclass=shadow during ldap search. Any ideas? Thanks. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Tunkrans Sent: Thursday, September 18, 2008 1:38 PM To: SunRay-Users mailing list Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing Hi Your problem is that you have not implemented LDAP Pam modules in the " dtlogin-sunray password " section. nor in the " dtsession-sunray " section The Manual for Pam_ldap is rather explicit in what you need to do. For each of your Authentication - types you need to implement all of the below Example 1 from the pam_ldap(5) manual page. Then again I have numerous times pointed out that there is need for a /etc/PAM_LDAP.CONF example file to be included in the Solaris distribution and the SRS distribution. Example 1 Using pam_ldap With Authentication The following is a configuration for the login service when using pam_ldap. The service name login can be substituted for any other authentication service such as dtlogin or su. Lines that begin with the # symbol are comments and are ignored. # Authentication management for login service is stacked. # If pam_unix_auth succeeds, pam_ldap is not invoked. # The control flag "binding" provides a local overriding # remote (LDAP) control. The "server_policy" option is used # to tell pam_unix_auth.so.1 to ignore the LDAP users. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 Example 2 Using pam_ldap With Account Management The following is a configuration for account management when using pam_ldap. Lines that begin with the # symbol are com- ments and are ignored. # Account management for all services is stacked # If pam_unix_account succeeds, pam_ldap is not invoked. # The control flag "binding" provides a local overriding # remote (LDAP) control. The "server_policy" option is used # to tell pam_unix_account.so.1 to ignore the LDAP users. other account requisite pam_roles.so.1 other account binding pam_unix_account.so.1 server_policy other account required pam_ldap.so.1 SunOS 5.11 Last change: 21 Dec 2005 4 Standards, Environments, and Macros pam_ldap(5) Example 3 Using pam_authtok_store With Password Management For Both Local and LDAP Accounts The following is a configuration for password management when using pam_authtok_store. Lines that begin with the # symbol are comments and are ignored. # Password management (authentication) # The control flag "binding" provides a local overriding # remote (LDAP) control. The server_policy option is used # to tell pam_passwd_auth.so.1 to ignore the LDAP users. passwd auth binding pam_passwd_auth.so.1 server_policy passwd auth required pam_ldap.so.1 # Password management (updates) # This updates passwords stored both in the local /etc # files and in the LDAP directory. The "server_policy" # option is used to tell pam_authtok_store to # follow the LDAP server's policy when updating # passwords stored in the LDAP directory other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 server_policy Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO skrev: > Hi All, > > > > I have configured SRSS (4.0 patch 127553-02) for ldap using "ldapclient > init ...". SSH and su work fine using ldap for authentication, but Sun > Ray users are unable to login. Receive "Login incorrect". Below is the > pam.conf and ldap log. We are using Sun Java Directory Server 6.3. > > > > Another error (attached below) that is related to ldap occurs during > reboot. The Sun Ray services cannot bind to the Sun Ray Data Store. > Can I configure the Sun Ray server as an ldap client or will it mess up > the Sun Ray Data Store connection? > > > > > > Any and all help greatly appreciated. Thanks in advance. > > > > Clinton > > > > > > > > Pam.conf > > > > > > # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay > > dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > property=username > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > > dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 > prompt > > dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 > clearuser > > dtlogin-SunRay auth requisite pam_authtok_get.so.1 > > dtlogin-SunRay auth required pam_dhkeys.so.1 > > dtlogin-SunRay auth required pam_unix_cred.so.1 > > dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy > > dtlogin-SunRay auth required pam_ldap.so.1 > > > > dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so > > dtlogin-SunRay account requisite pam_roles.so.1 > > dtlogin-SunRay account binding pam_unix_account.so.1 server_policy > > dtlogin-SunRay account required pam_ldap.so.1 > > > > dtlogin-SunRay session required pam_unix_session.so.1 > > dtlogin-SunRay password required pam_dhkeys.so.1 > > dtlogin-SunRay password requisite pam_authtok_get.so.1 > > dtlogin-SunRay password requisite pam_authtok_check.so.1 > > dtlogin-SunRay password required pam_authtok_store.so.1 > > # added to dtsession-SunRay by SunRay Server Software -- > dtsession-SunRay > > dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so > syncondisplay > > dtsession-SunRay auth requisite pam_authtok_get.so.1 > > dtsession-SunRay auth required pam_dhkeys.so.1 > > dtsession-SunRay auth required pam_unix_cred.so.1 > > dtsession-SunRay auth sufficient pam_unix_auth.so.1 > > > > dtsession-SunRay account requisite pam_roles.so.1 > > dtsession-SunRay account sufficient pam_unix_account.so.1 > > > > dtsession-SunRay session required pam_unix_session.so.1 > > dtsession-SunRay password required pam_dhkeys.so.1 > > dtsession-SunRay password requisite pam_authtok_get.so.1 > > dtsession-SunRay password requisite pam_authtok_check.so.1 > > dtsession-SunRay password required pam_authtok_store.so.1 > > > > > > > > > > > > > > Sun Java Directory Server 6.3 log: > > > > > > > > [11/Sep/2008:18:40:49 +0000] conn=1372 op=-1 msgId=-1 - fd=69 slot=69 > LDAP connection from 134.221.19.22:33063 to 134.221.19.36 > > [11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - BIND > dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov" > method=128 version=3 > > [11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov" > > [11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - SRCH > base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2 > filter="(&(objectClass=posixAccount)(uid=clinton.propst))" attrs=ALL > > [11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=1 etime=0 > > [11/Sep/2008:18:40:49 +0000] conn=1373 op=-1 msgId=-1 - fd=71 slot=71 > LDAP connection from 134.221.19.22:33064 to 134.221.19.36 > > [11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - BIND > dn="uid=clinton.propst,ou=People,dc=users,dc=market,dc=hr,dc=usda,dc=gov > " method=128 version=3 > > [11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="uid=clinton.propst,ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov > " > > [11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - SRCH > base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2 > filter="(&(objectClass=posixAccount)(uidNumber=1201))" attrs="cn uid > uidNumber gidNumber gecos description homeDirectory loginShell" > > [11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - RESULT err=0 > tag=101 nentries=1 etime=0 > > [11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=3 - UNBIND > > [11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=-1 - closing from > 134.221.19.22:33063 - U1 - Connection closed by unbind client - > > [11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=2 - UNBIND > > [11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=-1 - closing from > 134.221.19.22:33064 - U1 - Connection closed by unbind client - > > [11/Sep/2008:18:40:53 +0000] conn=1372 op=-1 msgId=-1 - closed. > > [11/Sep/2008:18:40:54 +0000] conn=1373 op=-1 msgId=-1 - closed. > > > > > > > > > > > > > > > > > > Sun Ray Server /var/adm/messages during boot with ldap client > configured: > > > > > > > > Sep 11 13:38:35 sraysvr rpcbind: [ID 564983 daemon.error] rpcbind > terminating on signal. > > Sep 11 13:38:40 sraysvr utdevadm[19113]: [ID 702911 user.info] > open_connection(): Could not bind to DS server sraysvr - Can't connect > to the LDAP server > > Sep 11 13:40:40 sraysvr utdevadm[1043]: [ID 702911 user.info] > open_connection(): Could not bind to DS server sraysvr - Can't contact > LDAP server > > Sep 11 13:40:40 sraysvr utpulld[997]: [ID 224068 daemon.error] Error: > ldap_sasl_bind (host localhost, DN cn=admin,o=utdata) returned: Can't > contact LDAP server > > Sep 11 13:40:40 sraysvr utpulld[997]: [ID 254794 daemon.error] Failed to > bind to cn=admin,o=utdata on local utdsd: Can't contact LDAP server > > Sep 11 13:40:44 sraysvr utglpolicy[1151]: [ID 702911 user.info] > open_connection(): Could not bind to DS server sraysvr - Can't connect > to the LDAP server > > Sep 11 13:40:49 sraysvr utauthd: [ID 702911 user.info] > open_connection(): Could not bind to DS server sraysvr - Can't connect > to the LDAP server > > Sep 11 13:41:11 sraysvr dtlogin[1197]: [ID 293258 user.error] libsldap: > Status: 49 Mesg: openConnection: simple bind failed - Invalid > credentials > > Sep 11 15:27:02 sraysvr ldapclient[9418]: [ID 293258 user.warning] > libsldap: Status: 0 Mesg: NULL or invalid proxy bind DN > > Sep 11 15:28:07 sraysvr ldapclient[9496]: [ID 293258 user.warning] > libsldap: Status: 0 Mesg: NULL or invalid proxy bind DN > > > > > > > > > > > > > > > > > > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users > > _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
