[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bare nuts on solaris 8/9

Chuck Pierce wrote:

I have gathered that there are three essential files that you need:
/etc/nsswitch.conf (change passwd and group to "files ldap")
/var/ldap/ldap_client_file (to tell solaris where things are)
/var/ldap/ldap_client_cred (the username/password for ldap)

If you setup just those things, you can do listusers, ls, getent, finger, etc
(anything that pulls user info), but you can't authenticate passwords (eg, no
telnet, ssh, su, etc).

My experience is only with Solaris 9, but:
You should be able to authenticate users even with this setup (through pam_unix). If you can use getent to look up users, then pam_unix should be able to as well.

Doublecheck the credentials that the Solaris ldap client is trying to bind to your ldap server with. Make sure that those bind credentials are allowed to read the userPassword attribute. And if you are not using pam_ldap (if you haven't modified /etc/pam.conf, you are using pam_unix) your userPassword attributes must be tagged {crypt}. Put slapd in debug mode and watch your Solaris box try to bind to the server. In Solaris 9, the default is to bind anonymously unless you specify an authentication type of "simple" or something like "tls:simple" or your favorite SASL method if you use that (thanks Igor B.).

When you successfully set up pam_ldap, Solaris will try to bind to the directory as whatever user is trying to log in, so then you can use whatever authentication scheme the ldap server supports if you like. It authenticates the user as long as the bind is successful. Then the only access that is needed to the userPassword attribute is auth access.

There were huge changes to the way LDAP worked between Solaris 8 and 9, so the above might not strictly apply to you.