[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Anyone have pam_groupdn working with openldap libs on Solaris 2.6,7,8 . Here is my configuration and compiling notes.
- To: <openldap-software@OpenLDAP.org>
- Subject: Anyone have pam_groupdn working with openldap libs on Solaris 2.6,7,8 . Here is my configuration and compiling notes.
- From: "Glen Ippolito" <gippolit@xpedite.com>
- Date: Mon, 25 Feb 2002 16:54:40 -0500
- Importance: Normal
All,
Does anyone have this working?
I'm having a problem trying to get pam_groupdn working with all my Solaris
clients. In going through the code, I noticed that pam_min_uid and
pam_max_uid use the same functions, so I tried them. However, it ignores
my /etc/ldap.conf for both of them and I am able to login no matter what
options I set. Also, during compile time I get the error outlined below.
Although we were able to get it to compile with the mapfile fix (also
outlined below), I'm still unable to determine whether or not this mapfile
has anything to do with this problem. I've also included a copy of my
ldap.conf, pam.conf and ldif.file.
Any assistance you could provide would be greatly appreciated.
!!!Compile error
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
gcc -DHAVE_CONFIG_H -I. -I. -I. -DLDAP_REFERRALS -D_REENTRANT -I/lib/inclu
de -g -O2 -Wall -fPIC -c pam_ldap.c
pam_ldap.c: In function `_get_user_info':
pam_ldap.c:2008: warning: passing arg 4 of `_get_integer_value' from
incompatible pointer type
gcc -DHAVE_CONFIG_H -I. -I. -I. -DLDAP_REFERRALS -D_REENTRANT -I/lib/inclu
de -g -O2 -Wall -fPIC -c md5.c
gcc -g -O2 -Wall -fPIC -L/lib/lib -Wl,-R/lib/lib -o
pam_ldap.so -Wl,-M -Wl,mapfile -Wl,-G pam_ldap.o
md5.o -lldap -llber -lcrypt -lresolv -lpam -ldl
mapfile: file not recognized: File format not recognized
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `pam_ldap.so'
!!! To fix the problem this is what I did. I Changed
pam_ldap_so_LDFLAGS = -Wl,-M -Wl,mapfile -Wl,-G
to
pam_ldap_so_LDFLAGS = -Wl,-G
in the Makefile in 2 places
Now it compiles, but it seems as if pam_groupdn and pam_min $ max_uid does
not work. Does this mapfile have anything to do with this?
Setup on Solaris Clients:
Solaris 2.6 Solaris 2.7 Solaris 2.8
openldap 2.0.18 openldap 2.0.18 openldap 2.0.18
openssl-0.9.6b openssl-0.9.6b openssl-0.9.6b
nss_ldap 177 nss_ldap 177 nss_ldap 177
pam_ldap 135 pam_ldap 135 pam_ldap 135
pam.conf
Authentication management
#
login auth sufficient /usr/lib/security/pam_ldap.so.1
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login auth required /usr/lib/security/pam_dial_auth.so.1
telnet auth sufficient /usr/lib/security/pam_ldap.so.1
telnet auth required /usr/lib/security/pam_unix.so.1 try_first_pass
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_ldap.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
other auth sufficient /usr/lib/security/pam_ldap.so.1
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass
#
# Account management
#
login account required /usr/lib/security/pam_ldap.so.1
login account required /usr/lib/security/pam_unix.so.1
dtlogin account required /usr/lib/security/pam_ldap.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1
other account required /usr/lib/security/pam_ldap.so.1
other account required /usr/lib/security/pam_unix.so.1
#
# Session management, not implemented by pam_ldap
#
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
#
#other password required /usr/lib/security/pam_unix.so.1
other password required /usr/lib/security/pam_ldap.so
ldap.conf
host ldaptest1.ldap.com
base dc=ldap,dc=com
ldap_version 3
scope sub
timelimit 20
pam_login_attribute uid
pam_password clear
# Group to enforce membership of
pam_groupdn cn=pamlogintest,ou=logingroups,ou=groups,dc=ldap,dc=com
# Group member attribute
pam_member_attribute uniquemember
# Nis memeber attributes
nss_map_attribute userPassword authPassword
nss_base_passwd ou=people,dc=ldap,dc=com
nss_base_shadow ou=people,dc=ldap,dc=com
nss_base_group ou=unixgroups,ou=nis,dc=ldap,dc=com
nss_base_hosts ou=unixhosts,ou=nis,dc=ldap,dc=com
nss_base_services ou=services,ou=nis,dc=ldap,dc=com
nss_base_networks ou=networks,ou=nis,dc=ldap,dc=com
nss_base_protocols ou=protocols,ou=nis,dc=ldap,dc=com
nss_base_rpc ou=rpc,ou=nisdc=ldap,dc=com
nss_base_ethers ou=ethers,ou=nis,dc=ldap,dc=com
nss_base_netmasks ou=networks,ou=nis,dc=ldap,dc=com
nss_base_bootparams ou=ethers,ou=nis,dc=ldap,dc=com
nss_base_aliases ou=aliases,ou=nis,dc=ldap,dc=com
nss_base_netgroup ou=netgroup,ou=nis,dc=ldap,dc=com
# Specify a minium or maximum UID number allowed
ssl true
ssl start_tls
ldif
dn: cn=pamlogintest,ou=logingroups,ou=groups,dc=ldap,dc=com
cn: pamlogintest
objectClass: groupofuniquenames
description: Group to support pam server access
creatorsName: cn=anonymous
createTimestamp: 20020118162718Z
uniqueMember: uid=gippolit, ou=people, dc=ldap, dc=com
modifiersName: cn=anonymous
modifyTimestamp: 20020118194438Z
Thanks
Glen
BEGIN:VCARD
VERSION:2.1
N:Ippolito;Glen
FN:Glen Ippolito
ORG:Systems Administration;Internet Services Group
TITLE:Xpedite
TEL;WORK;VOICE:(800) 333-0568 X7076
TEL;CELL;VOICE:(732) 861-6762
TEL;WORK;FAX:732-389-0782
ADR;POSTAL:;;100 Tormee Drive;Tinton Falls;New Jersey;07712;United States of America
LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:100 Tormee Drive=0D=0ATinton Falls, New Jersey 07712=0D=0AUnited States of A=
merica
EMAIL;PREF;INTERNET:g.ippolito@xpedite.com
REV:20010831T145126Z
END:VCARD