[Date Prev][Date Next] [Chronological] [Thread] [Top]

Solaris 8 LDAP authentication (PAM?) issue - any ideas???

Hi All,

Having recently tested user authentication to LDAP from Solaris 2.6/7 and Linux, I decided to check that all would work on a Solaris 8 system. After following the same procedures, I can logon to the Solaris 8 machine as an LDAP user from the console or ssh etc... However I have experienced two "niggly" little problems which are:

1) finger does not return user details for LDAP users. (This works on my Solaris 2.6 and 7 systems)

2) I cant su to an LDAP user from any non-root user. (rejects the password) I can however perform an "su - <user>" as root with success. (This also works on my other Solaris 2.6 or 7 systems)

Copies of relevant config files are below.

(FYI: I am using openldap2.0.18 on an E220R server + Ultra 5 clients, nss_ldap & pam_ldap from PADL, all connections use ldaps://)

Any help with this would be greatly appreciated - it's not a huge drama for me (the systems do what i need them to) but it just peevs me that it's not working "properly"! :)
I have been assuming that its a pam.conf thing, however my "others" entries seem to cover all bases imho.

When ive finished rolling out LDAP here Ill be looking to write some detailed docs which i can make available if people wish 9there seem to be a number of people trying to do the solaris/authentication/ssl thing and getting stuck.)

/etc/ldap.conf (client): ### host ldap.myorg.au BASE ou=Student, ou=Sections, dc=myorg, dc=au port 636

DEREF always
ssl on
ssl true

/etc/pam.conf (client):
login   auth sufficient /usr/lib/security/pam_ldap.so.1
login   auth required   /usr/lib/security/pam_unix.so.1 use_first_pass
login   auth required   /usr/lib/security/pam_dial_auth.so.1

sshd  auth sufficient /usr/lib/security/pam_ldap.so.1
sshd  auth required   /usr/lib/security/pam_unix.so.1 use_first_pass

dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
dtlogin auth required   /usr/lib/security/pam_unix.so.1 use_first_pass

other   auth sufficient /usr/lib/security/pam_ldap.so.1
other   auth required   /usr/lib/security/pam_unix.so.1 use_first_pass

# Account management
login   account sufficient /usr/lib/security/pam_ldap.so.1
login   account required /usr/lib/security/pam_unix.so.1

dtlogin account sufficient /usr/lib/security/pam_ldap.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1

other   account sufficient /usr/lib/security/pam_ldap.so.1
other   account required /usr/lib/security/pam_unix.so.1

# Session management, not implemented by pam_ldap
other   session required /usr/lib/security/pam_unix.so.1

# Password management
other  password sufficient /usr/lib/security/pam_ldap.so
other  password sufficient /usr/lib/security/pam_unix.so.1

relevant lines from /etc/nsswitch.conf (client):
passwd:     files ldap
group:      files ldap

An "ldapsearch" (from the client) of a test user:
version: 2

# filter: uid=pstud1
# requesting: ALL

# pstud1, Student, Sections, myorg, au
dn: cn=pstud1, ou=Student, ou=Sections, dc=myorg, dc=au
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: eeAccount
objectClass: shadowAccount
uid: pstud1
cn: Seamus O'Shamtek
seeAlso: cn=pstud1, ou=People, dc=myorg, dc=au
shadowLastChange: 11563
loginShell: /usr/local/bin/tcsh
uidNumber: 8387
gidNumber: 1020
homeDirectory: /home/ugrad/test-accounts/pstud1
gecos: Seamus O'Shamtek

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1