Re: bare nuts on solaris 8/9

[Scott Moorhouse <smoorhouse@ae-solutions.com>]

Chuck Pierce wrote:

> I have gathered that there are three essential files that you need:
> /etc/nsswitch.conf (change passwd and group to "files ldap")
> /var/ldap/ldap_client_file (to tell solaris where things are)
> /var/ldap/ldap_client_cred (the username/password for ldap)
>
> If you setup just those things, you can do listusers, ls, getent, finger, etc
> (anything that pulls user info), but you can't authenticate passwords (eg, no
> telnet, ssh, su, etc).
>  
My experience is only with Solaris 9, but:
You should be able to authenticate users even with this setup (through 
pam_unix).  If you can use getent to look up users, then pam_unix should 
be able to as well.

Doublecheck the credentials that the Solaris ldap client is trying to 
bind to your ldap server with.  Make sure that those bind credentials 
are allowed to read the userPassword attribute.  And if you are not 
using pam_ldap (if you haven't modified /etc/pam.conf, you are using 
pam_unix) your userPassword attributes must be tagged {crypt}.  Put 
slapd in debug mode and watch your Solaris box try to bind to the 
server.  In Solaris 9, the default is to bind anonymously unless you 
specify an authentication type of "simple" or something like 
"tls:simple" or your favorite SASL method if you use that (thanks Igor B.).

When you successfully set up pam_ldap, Solaris will try to bind to the 
directory as whatever user is trying to log in, so then you can use 
whatever authentication scheme the ldap server supports if you like.  It 
authenticates the user as long as the bind is successful.  Then the only 
access that is needed to the userPassword attribute is auth access.

There were huge changes to the way LDAP worked between Solaris 8 and 9, 
so the above might not strictly apply to you.