[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap-2.4.32 su-ok, rlogin-fails



on linux, i had to install a package called nss-pam-ldapd that would do lookups in the directory for users, groups etc.

Description :
The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name
service information (users, groups, etc.) on behalf of a lightweight
nsswitch module.

not sure if this is the case for solaris.

On Mon, Mar 18, 2013 at 8:01 PM, Joe Phan <joeanhphan@yahoo.com> wrote:
Hi, 

I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10.  Adding users/groups to LDAP Server seems to be ok.

>From a second machine, I configured it to be LDAP Client using command "ldapclient  manual -v  -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16".  It was successful.  /var/ldap/ldap_client_file contains appropriate LDAP Server information.
Openldap-2.4.32 is not installed on the Client Machine.

I updated PAM configuration on Client Machine for su and rlogin, results are listed below:
- rlogin into Client Machine using root - OK
- rlogin into Client Machine using "jphan" user - Fails
- After login to Client Machine as root, su from root to "jphan" user - OK  (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)
- From "jphan" user, su to another user - Fails

Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct.
Please let me know if there is anything missing from my setup.
Do I need to configure pam.conf on LDAP Server machine as well?

Any help is greatly appreciated.
Best regards,
Joe Phan


Downloaded and installed following packages from SunFreeWare.com to LDAP Server:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz

Client Machine configuration:
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap

- /etc/pam.conf:
apggd08dev# more pam.conf
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
#login  auth required           pam_unix_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1 debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
#rlogin  auth required           pam_unix_auth.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 debug
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
#ppp     auth required           pam_unix_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth required           pam_ldap.so.1 debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
#other  auth required           pam_unix_auth.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
#passwd auth required           pam_passwd_auth.so.1
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1 debug
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1


jphan user info:
apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan'
# extended LDIF
#
# LDAPv3
# base <dc=pg,dc=dtveng,dc=net> with scope subtree
# filter: uid=jphan
# requesting: ALL
#

# jphan, people, pg.dtveng.net
dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: posixGroup
cn: jphan
uid: jphan
uidNumber: 2003
gidNumber: 203
homeDirectory: /export/home/jphan
loginShell: /usr/bin/csh
gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA==
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: ....=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1