[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Solaris 9 LDAP client issues

To: openldap-software@OpenLDAP.org
Subject: Re: Solaris 9 LDAP client issues
From: Scott Moorhouse <smoorhouse@ae-solutions.com>
Date: Tue, 20 Aug 2002 14:34:29 -0500
References: <Pine.GSO.4.44.0208201419180.544-100000@pula.istra.ypass.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020722

Igor Brezac wrote:

On Tue, 20 Aug 2002, Scott Moorhouse wrote:
This is still definitely not working.  OpenLDAP considers the LDAP
client to be binding as an anonymous user.  Whether that means it
botched the authentication or never tried it in the first place is
something I'm not familiar enough with the debug output of slapd to
determine yet.  I can't even get it to bind as my RootDN.
I have been testing my binding capabilities and access controls with the GQ LDAP client, and everything works as expected there, so why doesn't the Solaris client work?
You do not hove something configured properly.

Or the client's broken. :) Or, there's some incompatibility between in and 2.0.23, which is the OpenLDAP version I'm using, I guess.

Here's the ldif of the entry I've tried to bind to using Solaris 9's
LDAP client.   Perhaps I'm missing some objectclass or attribute it expects?

dn: cn=NamingClient,dc=mydomain,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: NamingClient
userPassword: {crypt}[DEScryptstring]


This is all you need for the binding purposes.

What are the contents of /var/ldap/ldap_client_* and /etc/defaultdomain?

/var/ldap/ldap_client_cred
NS_LDAP_BINDDN= cn=NamingClient,dc=mydomain,dc=com
NS_LDAP_BINDPASSWD= {NS1}[hex string]

/var/ldap/ldap_client_file
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= my.ldap.server.ip
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= automount:ou=AutomountMaps,dc=mydomain,dc=com

/etc/defaultdomain
mydomain.com

Is /etc/defaultdomain supposed to be a dn if you are using LDAP as a naming service? My guess is no, but with Sun, nothing surprises me.

My GQ client binds to that fine and gets the special permissions I have
laid out for it in slapd.conf...

I've also tried binding as the RootDN with the RootDN password with the
same results.  Unless I allow anonymous read to the userPassword
attribute, no one can log in.


I am not familiar with GQ LDAP client.  I suggest that you try ldapsearch
and use -b -D -W params (eg ldapsearch -x -b 'dc=mydomain,dc=com' -D
cn=NamingClient,dc=mydomain,dc=com -W 'cn=NamingClient').  If this works
and if the result shows userPassword you should be good to go.

I was able to reproduce favorable results using ldapsearch on both the Linux LDAP server and the Solaris client. I was able to bind as cn=NamingClient,dc=mydomain,dc=com using the password I set up on its userPassword attribute and I could see the userPassword attributes in ou=People that I am attempting UNIX logins with. I rebound without supplying credentials and could not see the userPassword attribute, as expected.

I think from my experimentation with slapd's access rules and looking at the slapd debug output it's clear that the Solaris naming services client simply is not binding properly and only gets anonymous level privileges. For the life of me I can't understand what I'm doing wrong at this point. Maybe someone will notice something in the /var/ldap/ldap_client_* files above that will help.

Thanks...

Follow-Ups:
- Re: Solaris 9 LDAP client issues
  - From: Igor Brezac <igor@ipass.net>

References:
- Re: Solaris 9 LDAP client issues
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: Re: Problems building nss_ldap and pam_ldap with Openldap
Next by Date: do not return objectclass in searches
Index(es):
- Chronological
- Thread