[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP server, Solaris 9 client

To: luiz@pucrs.br
Subject: Re: OpenLDAP server, Solaris 9 client
From: Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>
Date: Tue, 22 Jul 2003 16:11:22 +0200
Cc: openldap-software@OpenLDAP.org, Thomas Nau <thomas.nau@kiz.uni-ulm.de>
References: <OFF77A9BB1.11B9B56D-ON03256D6B.0041515C-03256D6B.00444483@pucrs.br>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030708

Don't know if you can read french, but after struggling to authenticate a solaris9 client to an openldap server I've wrote a doc. Anyway, samples are in english, there are links also:

http://www.int-evry.fr/mci/user/procacci/ldap/Ldap_int011.html

luiz@pucrs.br wrote:

...

OBS: I don´t have any OU named 'people'. My OU´s are "func", "profs",
"alunos", etc. I could not to change this "people" of Solaris... :-(


If you don't use the people tree you will have to tell the ldap Solaris
client in it's config file (ldap_client_file) by adding something like
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ViaWest,dc=Net)
NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ViaWest,dc=Net)

Hello

Thank you very much Thomas. I edited directly the file with these options
and apparently THIS error was corrected. From my server (Debian) log file:

Jul 22 09:06:22 server slapd[31513]: conn=526 op=0 SRCH
base="ou=func,dc=my,dc=domain" scope=1
filter="(&(objectClass=shadowAccount)(uid=user1))"

But... I still can´t login. :-(
Apparently, there are one PAM error. From my client (Solaris 9) log file,
when I try to login in X interface:
Jul 22 09:06:22 client dtlogin[25021]: [ID 505537 user.info] libldap:
Resolving server name "server.my.domain"
Jul 22 09:06:24 client last message repeated 5 times
Jul 22 09:06:24 client dtlogin[25021]: [ID 316739 user.error] pam_ldap: no
legal authentication method configured
Jul 22 09:06:25 client dtlogin[25021]: [ID 505537 user.info] libldap:
Resolving server name "server.my.domain"
Jul 22 09:06:25 client dtlogin[25021]: [ID 316739 user.error] pam_ldap: no
legal authentication method configured

If I try with SSH, the error is identical:

Jul 22 09:10:22 client sshd[27938]: [ID 505537 auth.info] libldap:
Resolving server name "server.my.domain"
Jul 22 09:10:24 client last message repeated 10 times
Jul 22 09:10:24 client sshd[27938]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured
Jul 22 09:10:24 client sshd[27938]: [ID 505537 auth.info] libldap:
Resolving server name "server.my.domain"
Jul 22 09:10:25 client sshd[27938]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured
Jul 22 09:10:25 client sshd[27938]: [ID 800047 auth.info] Failed password
for peterson from 200.188.161.5 port 4539 ssh2
Jul 22 09:10:25 client sshd[27938]: [ID 800047 auth.info] Failed none for
peterson from 200.188.161.5 port 4539 ssh2

My Solaris client /etc/pam.conf is:

#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth required           pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin  auth required           pam_ldap.so.1 try_first_pass
#
# rsh service (explicit because of pam_rhost_auth)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_authtok_get.so.1
rsh     auth required           pam_dhkeys.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh     auth required           pam_ldap.so.1 try_first_pass
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth required           pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_dial_auth.so.1
ppp     auth sufficient         pam_unix_auth.so.1
ppp     auth required           pam_ldap.so.1 try_first_pass
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other   auth required           pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1  try_first_pass
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password
management
#
other   password required       pam_dhkeys.so.1
other   password required       pam_authtok_get.so.1
other   password required       pam_authtok_check.so.1
other   password sufficient     pam_authtok_store.so.1
other   password required       pam_ldap.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

and my Debian server slapd.conf is:

# SERVER slapd.conf
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
#
pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args
#
password-hash {CRYPT}
access to attribute=userPassword
        by self write
        by dn="cn=admin,dc=my,dc=domain" write
        by * compare
#
access to *
        by * read
#
database        bdb
suffix          "dc=my,dc=domain"
rootdn          "cn=admin,dc=my,dc=domain"
rootpw          {MD5}PASSWORD==
#
directory       /usr/local/var/openldap-data
#
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/local/etc/openldap/certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/newreq.pem
TLSCACertificateFile /usr/local/etc/openldap/certs/demoCA/cacert.pem
#
# END FILE

Can anyone help me with this? Or send me a functional Solaris 9
/etc/pam.conf. In Red Hat Linux, the authentication is working very well...
:-(

Thanks in advance


--
Jehan Procaccia 			| Ingenieur Systemes & Reseaux
Institut National des Telecommunications| Tel : +33 (0) 160764436
MCI, Moyens Communs Informatiques  | Mail: Jehan.Procaccia@int-evry.fr
9 rue Charles Fourier 91011 Evry France | Fax : +33 (0) 160764321

Follow-Ups:
- Ldapbrowser 2.8.2 - importing users (LDIF) question
  - From: Kathy Koehler <kkoehler@comcast.net>

References:
- Re: OpenLDAP server, Solaris 9 client
  - From: luiz@pucrs.br

Prev by Date: Re: TLS or plain?
Next by Date: Re: Error searching DNs with escaped special characters
Index(es):
- Chronological
- Thread