Thanks for the info.  Great info on pam_ldap.  I was not aware of that
man page.  

No luck after inserting the pam_ldap module "after dtlogin-sunray
password" or "dtsession-sunray" section.  The Sun Ray Server never looks
for objectclass=shadow during ldap search.

Any ideas?  Thanks.


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lars Tunkrans
Sent: Thursday, September 18, 2008 1:38 PM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing

Hi 

   Your problem is  that you have  not implemented   LDAP   Pam 
modules    in the
 " dtlogin-sunray password "  section.  nor in the  " dtsession-sunray  
" section

  The Manual  for Pam_ldap   is rather explicit  in what you need to do.
  For each   of your  Authentication - types   you need to implement   
all of the below 
  Example 1   from   the pam_ldap(5)    manual page.   

  Then again  I have numerous times   pointed out that  there is need 
for  a

   /etc/PAM_LDAP.CONF   example file  to be included  in the Solaris  
distribution
  and the SRS distribution.



 Example 1 Using pam_ldap With Authentication

     The following is a configuration for the login service  when
     using  pam_ldap.  The  service name login can be substituted
     for any other authentication service such as dtlogin or  su.
     Lines  that  begin  with  the  # symbol are comments and are
     ignored.

       # Authentication management for login service is stacked.
       # If pam_unix_auth succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_auth.so.1 to ignore the LDAP users.

       login   auth requisite  pam_authtok_get.so.1
       login   auth required   pam_dhkeys.so.1
       login   auth required   pam_unix_cred.so.1
       login   auth binding    pam_unix_auth.so.1 server_policy
       login   auth required   pam_ldap.so.1

     Example 2 Using pam_ldap With Account Management

     The following is a configuration for account management when
     using  pam_ldap. Lines that begin with the # symbol are com-
     ments and are ignored.

       # Account management for all services is stacked
       # If pam_unix_account succeeds, pam_ldap is not invoked.
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The "server_policy" option is used
       # to tell pam_unix_account.so.1 to ignore the LDAP users.

       other   account  requisite      pam_roles.so.1
       other   account  binding        pam_unix_account.so.1
server_policy
       other   account  required       pam_ldap.so.1

SunOS 5.11          Last change: 21 Dec 2005                    4

Standards, Environments, and Macros                   pam_ldap(5)

     Example 3 Using pam_authtok_store With  Password  Management
     For Both Local and LDAP Accounts

     The following is a  configuration  for  password  management
     when  using  pam_authtok_store.  Lines that begin with the #
     symbol are comments and are ignored.

       # Password management (authentication)
       # The control flag "binding" provides a local overriding
       # remote (LDAP) control. The server_policy option is used
       # to tell pam_passwd_auth.so.1 to ignore the LDAP users.

       passwd  auth binding  pam_passwd_auth.so.1 server_policy
       passwd  auth required pam_ldap.so.1

       # Password management (updates)
       # This updates passwords stored both in the local /etc
       # files and in the LDAP directory. The "server_policy"
       # option is used to tell pam_authtok_store to
       # follow the LDAP server's policy when updating
       # passwords stored in the LDAP directory

       other password required   pam_dhkeys.so.1
       other password requisite  pam_authtok_get.so.1
       other password requisite  pam_authtok_check.so.1
       other password required   pam_authtok_store.so.1 server_policy










Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO skrev:
> Hi All,
>
>  
>
> I have configured SRSS (4.0 patch 127553-02) for ldap using
"ldapclient
> init ...".  SSH and su work fine using ldap for authentication, but
Sun
> Ray users are unable to login.  Receive "Login incorrect".  Below is
the
> pam.conf and ldap log.  We are using Sun Java Directory Server 6.3.  
>
>  
>
> Another error (attached below) that is related to ldap occurs during
> reboot.  The Sun Ray services cannot bind to the Sun Ray Data Store.
> Can I configure the Sun Ray server as an ldap client or will it mess
up
> the Sun Ray Data Store connection?  
>
>  
>
>  
>
> Any and all help greatly appreciated.  Thanks in advance.  
>
>  
>
> Clinton
>
>  
>
>  
>
>  
>
> Pam.conf
>
>  
>
>  
>
> # added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
>
> dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
>
> dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> property=username
>
> dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
>
> dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
> prompt
>
> dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
> clearuser
>
> dtlogin-SunRay auth requisite pam_authtok_get.so.1 
>
> dtlogin-SunRay auth required pam_dhkeys.so.1 
>
> dtlogin-SunRay auth required pam_unix_cred.so.1 
>
> dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy
>
> dtlogin-SunRay auth required pam_ldap.so.1 
>
>  
>
> dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
>
> dtlogin-SunRay account requisite pam_roles.so.1 
>
> dtlogin-SunRay account binding pam_unix_account.so.1 server_policy 
>
> dtlogin-SunRay account required pam_ldap.so.1 
>
>  
>
> dtlogin-SunRay session required pam_unix_session.so.1 
>
> dtlogin-SunRay password required pam_dhkeys.so.1 
>
> dtlogin-SunRay password requisite pam_authtok_get.so.1 
>
> dtlogin-SunRay password requisite pam_authtok_check.so.1 
>
> dtlogin-SunRay password required pam_authtok_store.so.1
>
> # added to dtsession-SunRay by SunRay Server Software --
> dtsession-SunRay
>
> dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
> syncondisplay
>
> dtsession-SunRay auth requisite pam_authtok_get.so.1 
>
> dtsession-SunRay auth required pam_dhkeys.so.1 
>
> dtsession-SunRay auth required pam_unix_cred.so.1 
>
> dtsession-SunRay auth sufficient pam_unix_auth.so.1 
>
>  
>
> dtsession-SunRay account requisite pam_roles.so.1 
>
> dtsession-SunRay account sufficient pam_unix_account.so.1 
>
>  
>
> dtsession-SunRay session required pam_unix_session.so.1 
>
> dtsession-SunRay password required pam_dhkeys.so.1 
>
> dtsession-SunRay password requisite pam_authtok_get.so.1 
>
> dtsession-SunRay password requisite pam_authtok_check.so.1 
>
> dtsession-SunRay password required pam_authtok_store.so.1 
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> Sun Java Directory Server 6.3 log:
>
>  
>
>  
>
>  
>
> [11/Sep/2008:18:40:49 +0000] conn=1372 op=-1 msgId=-1 - fd=69 slot=69
> LDAP connection from 134.221.19.22:33063 to 134.221.19.36
>
> [11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - BIND
> dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"
> method=128 version=3
>
> [11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - RESULT err=0
> tag=97 nentries=0 etime=0
> dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"
>
> [11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - SRCH
> base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
> filter="(&(objectClass=posixAccount)(uid=clinton.propst))" attrs=ALL
>
> [11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - RESULT err=0
> tag=101 nentries=1 etime=0
>
> [11/Sep/2008:18:40:49 +0000] conn=1373 op=-1 msgId=-1 - fd=71 slot=71
> LDAP connection from 134.221.19.22:33064 to 134.221.19.36
>
> [11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - BIND
>
dn="uid=clinton.propst,ou=People,dc=users,dc=market,dc=hr,dc=usda,dc=gov
> " method=128 version=3
>
> [11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - RESULT err=0
> tag=97 nentries=0 etime=0
>
dn="uid=clinton.propst,ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov
> "
>
> [11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - SRCH
> base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
> filter="(&(objectClass=posixAccount)(uidNumber=1201))" attrs="cn uid
> uidNumber gidNumber gecos description homeDirectory loginShell"
>
> [11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - RESULT err=0
> tag=101 nentries=1 etime=0
>
> [11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=3 - UNBIND
>
> [11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=-1 - closing from
> 134.221.19.22:33063 - U1 - Connection closed by unbind client -
>
> [11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=2 - UNBIND
>
> [11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=-1 - closing from
> 134.221.19.22:33064 - U1 - Connection closed by unbind client -
>
> [11/Sep/2008:18:40:53 +0000] conn=1372 op=-1 msgId=-1 - closed.
>
> [11/Sep/2008:18:40:54 +0000] conn=1373 op=-1 msgId=-1 - closed.
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> Sun Ray Server /var/adm/messages during boot with ldap client
> configured:
>
>  
>
>  
>
>  
>
> Sep 11 13:38:35 sraysvr rpcbind: [ID 564983 daemon.error] rpcbind
> terminating on signal.
>
> Sep 11 13:38:40 sraysvr utdevadm[19113]: [ID 702911 user.info]
> open_connection(): Could not bind to DS server sraysvr - Can't connect
> to the LDAP server
>
> Sep 11 13:40:40 sraysvr utdevadm[1043]: [ID 702911 user.info]
> open_connection(): Could not bind to DS server sraysvr - Can't contact
> LDAP server
>
> Sep 11 13:40:40 sraysvr utpulld[997]: [ID 224068 daemon.error] Error:
> ldap_sasl_bind (host localhost, DN cn=admin,o=utdata) returned: Can't
> contact LDAP server
>
> Sep 11 13:40:40 sraysvr utpulld[997]: [ID 254794 daemon.error] Failed
to
> bind to cn=admin,o=utdata on local utdsd: Can't contact LDAP server
>
> Sep 11 13:40:44 sraysvr utglpolicy[1151]: [ID 702911 user.info]
> open_connection(): Could not bind to DS server sraysvr - Can't connect
> to the LDAP server
>
> Sep 11 13:40:49 sraysvr utauthd: [ID 702911 user.info]
> open_connection(): Could not bind to DS server sraysvr - Can't connect
> to the LDAP server
>
> Sep 11 13:41:11 sraysvr dtlogin[1197]: [ID 293258 user.error]
libsldap:
> Status: 49  Mesg: openConnection: simple bind failed - Invalid
> credentials
>
> Sep 11 15:27:02 sraysvr ldapclient[9418]: [ID 293258 user.warning]
> libsldap: Status: 0  Mesg: NULL or invalid proxy bind DN
>
> Sep 11 15:28:07 sraysvr ldapclient[9496]: [ID 293258 user.warning]
> libsldap: Status: 0  Mesg: NULL or invalid proxy bind DN
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>
> _______________________________________________
> SunRay-Users mailing list
> [email protected]
> http://www.filibeto.org/mailman/listinfo/sunray-users
>
>   
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users

Reply via email to